Professional Documents
Culture Documents
شرح مبسط ل CCNA PDF
شرح مبسط ل CCNA PDF
ABOMONA77@YAHOO.COM
00249123842491
00249922346688
1
حقوق النصر والطبع حمفوظة
3102
ال جيوس نشز أى جشء من هذا اكتاب أو اعادة طبعة أو اختشان مادته العلمية أو نقله باى طزيقة
كانت اليكرتونية أو ميكانيكية أو بالتصويز أو تضجيل حمتوياته على اصطواناتا مضغوطة) (CDصواء
بصورة نصية أو باصوت دون موافقة كتابية من املؤلف ومن خيالف ذلك يعزض نفضه للمضاءله القانونية
رقم االيداع
3902/9999
2
اٜٚــــــّ
ٔغ لُ ِم انشُّ ٔ ُغ ِي ٍْ أَ ْي ِش َستَِّ َٔ ٙيا أُٔذِٛرُى ِّيٍ ْان ِؼ ْه ِى إِالَّ لَهِٛلا) ( ََٔٚغْأَنََُٕ َ
ك َػ ٍِ انشُّ ِ
(أ)
3
ٚمف انٛشاع ػاظضاا ػٍ خط كهًاخ فٗ حمٓى
إتُرٗ ( يُٗ )
إنٗ أسٔاغ انشٓذاء
اتٕتكش يعزٔب يحًذ َٕس
حزٚفح فرح ٙحغٍ يذَٙ
إنٗ سٔغ انفمٛذ يُرصش إَس
إنٗ دفؼّ CTS97
(ب)
4
الشلز ّالعزفاٌ
(ض)
5
مقدمة :
ٚرُأل انكراب فكشج ػايّ ػٍ CCNAفاٌ اصثُا فٓزا فضم يٍ هللا ٔاٌ اخطأَا
َشظٕ يُكى يذَا تانًؼهٕيّ حرٗ ذؼى انفائذِ ْٔٗ ذعشتح َغال هللا نُا انرٕفٛك فٓٛا ٔاٌ ٚغرفٛذ
يُٓا يغرخذيٗ انحاعٕب .
6
: تعزٓف احلاصْب
HARD WARE
SOFT WARE
HARD WARE )امللْىات املادٓة1(
) بزامج تشغٔل1(
UINX; LINX ; WINDOWS ,…………
) بزامج تطبٔقٔة2(
MOICROSOFT OFFICE;VISUALBASIC ; AUTO CAD
-: * ٍّيالم عدِ اىْاع مً احلاصبات
INTELLIGET TERMNAL اجَشة اللنبْٔتز الطزفٔة/1
Main Frame
DUMB TERMINALS جتَشة اللنبْٔتز الطزفٔة حمدّدة القدرة/2
7
* ّٓيقضه احلاصْب اىل لثا ّددات -:
IN PUT Units
CPU
OUT PUT Units
(ّ)1ددات االدخال IN PUT Units
/6املٔلزفٌْ MICROPHONE
/7اللامريا CAMERA
WEB CAM
(ّ )2ددِ املعاجلة املزكشٓة CPU
ٔذُمغى انٗ شلز ٔحذاخ
1/ C.U
2/ A.L.U
3/MEM
ّ /1ددة التحله C .U
5
(ّ )3ددات االخزاج OUT PUT Units
/1الشاشة MONITOR
/2الطابعة PRINTER
/3الضناعة SPEAKER
9
(Computer Network ):تعزٓف شبلات احلاصْب
:
(File Sharing ):مشاركة االدارات املختلفة يف امللفات
(Node )
IP
.
(Save Time & Money ).دفظ الشمً ّتْفريا للنال
(Internet & Intranet Sharing
Service )
.
(Personnel Network ):اصتخداو خاص باالفزاد
:
(Printing Sharing )مشاركة الطباعة على الشبلة
19
.(Windows 2000 Network ):2000 شبلات ّٓيدّس
NT.4
:
(Windows 2000 Server ):2000 ّٓيدّس صريفز
.
(Windows Advanced Server):ّٓيدّس صريفز املتقدو
.
(Data Center ): مزكش البٔاىات2000 ّٓيدّس
(ISP )
. (Internet Service Provider )
(Network Type ): اىْاع الشبلات
(LAN) ...................................(Local Area Network).
(MAN).........................(Metropolitan Area Network).
(WAN )........................(Wide Area Network).
(LAN ):) الشبلات احمللٔة1(
11
.
(MAN):ٌ) شبلات املد2(
(Fiber Optic)
(Wireless Network )
.
(WAN ):) الشبلة الْاصعة اليطاق3(
–
.
12
(Internet ): الشبلة العاملٔة/4
Satellite) )
(WWW) (World Wide Web ) (Coaxial Cable )
.
( Network Classifications ) : ) تصئفات الشبلات5(
(Client / Server ): اخلادو/ ٌْ(أ)شبلة الشب
.
أ: .ٌْحماصً شبلات املخدو ّالشب
. *
. *
. *
13
عْٔب شبلات املخدو ّالشبٌْ:.ب
*
.
. *
. *
(ب) شبلة اليد لليد) (Peer To Peer
.
أ .حماصً الشبلات املتلافئة:
. *
*
.
ب .صلبٔات الشبلات املتلافئة:
. *
. *
14
Router
Packets
,
Juniper Cisco
JUNOS IOS
ADSL Modems
Modem
Digital to Analogue
...
ّظٔفة املْجُ Router؟
!
ْٓجد ىْعاٌ مً املْجَات:
.
-
.
ْٓجد عدة اىْاع مً املْجَات مً دٔث اخلدمة ّاحلجه:
ADSL Modem
.
.
15
: مْجَات تضتخدو للنلاتب الصغرية/2
Gateway
Residental Gatewar
: مْجَات تضتخدو على ىطاق املؤصضات اللربى/3
ISPs
Router Level 3 Model
Packets
,
Modem
Digital to Analogue
...
16
Switch
HUB
Source MAC
Port ,,, Mac
Learning
Forwarding
Filtering
HUB
Bandwidth
Unicast
MAC Address Broadcast
Mac Address FFFF.FFFF.FFFF
destination MAC address
Multicast addresses
Multicast
17
ROUTER ّ SWITCH الفزق بني
Router
Router
IP
Hub
bandwidth
Bridge HUB switch
15
OSI Model Overview
OSI Model Overview Applicatio
Application n
(Upper) Presentatio
Application Layers n
Application Session
(Upper)
Presentation Transport
Layers
Layer
Network Data Flow
Session Layer
Data Link Layers
Physica
l
The Data Link layer of the OSI reference model is implemented by Switches and
Bridges. These devices encapsulate date in “frames.”
The Network layer of the OSI reference model is implemented by Routers. These
devices encapsulate data in ‘packets.’
The Transport layer of the OSI reference model is implemented by various
protocols; one of which is TCP. TCP uses ports and encapsulates the data in
‘segments.
Role of Application Layers
EXAMPLES
This layer discusses network applications rather than computer applications. So,
applications such as spreadsheets, word processors, or presentation graphics are not
the applications being described here. Network applications may be applications that
support, electronic mail, file transfer, remote access, network management, and so
on .
Transition: The following discusses the presentation layer.
19
Role of Application Layers
EXAMPLES
This layer discusses code formatting, data presentation standards, and conversion.
Transition: The following discusses the session layer
Role of Application Layers
EXAMPLES
User Interface
Telnet
Application
HTTP
29
The lower layers sit below the upper three layers. The remainder of this course is
focused on the lower layers.
Role of Data Flow Layers
The physical layer specifies the electrical, mechanical procedural, and functional
requirements for activating, maintaining, and deactivating the physical link between
systems.
Certain physical standards are associated with certain data link standards. For
example, 802.3 is used with data link standard 802.2 for Ethernet. It is not used in
WAN connections. This is covered more in-depth later in the course.
The data link layer provides data transport across a physical link. 802.3 is and
physical and data link Ethernet protocol. It is used with the 802.2 standard.
Role of Data Flow Layers
IP
Provide logical addressing which routers IPX
Network use for path determination
21
Role of Data Flow Layers
Application
Presentation
Session
• Reliable or unreliable delivery TCP
Transport
UDP
• Error correction before retransmit SPX
Provide logical addressing which routers use for path IP
Network determination IPX
Network Packet
IP Header Data
Physical Bits
0101110101001000010
The protocol data units (PDUs) are the terms used in the industry and in this bookto
describe data at the different layers .
Encapuslation is a key concept that illustrates how data is formatted prior to being
sent across a link. This example is an illustration is Ethernet (or token ring) at the
data link and physical layer and TCP/IP at the network and transport layers
23
De-encapsulating Data
Application
Presentation
Session
Upper Layer Data
Transport
Upper Layer Data
TCP Header
Network
TCP+ Upper Layer Data
IP Header
MAC Header
Physical
0101110101001000010
At the destination, the headers at each layer are stripped off as the data moves back
up the stack .
*Connector type
*Signaling type
Ethernet
802.3
Physical
V.35
Note: 802.3 is responsible for LANs based on the carrier sense multiple access
collision detect (CSMA/CD) access methodology. Ethernet is an example of a
CSMA/CD network.
EIA/TIA-232 and V 35.are physical standards that support synchronous serial.
24
Physical Layer: Ethernet/802.3
10Base2—Thick Ethernet
10Base5—Thick Ethernet
Hos
t
Hub
10BaseT—Twisted Pair
Hosts
Physical
A
B
C D
All devices attached to a hub are on the same collision and broadcast domain. A hub
is a layer one device.
25
TCP/IP Protocol Stack
Application
Presentatio
Application
n
Session
Transport Transport
Network Internet
Data Link Data Link
Physical Physical
This figure shows the TCP/IP conceptual layer titles. The protocol stack is used several times in this
chapter, and the lower two layers may be sometimes called the network interface layer.
The terms “packet” and “datagram” are nearly interchangeable. However, a datagram is a unit of data,
while a packet is a physical entity that appears on a network. In most cases, a packet contains a
datagram. In some protocols, though, a datagram is divided into a number of packets to accommodate
a requirement for smaller transmittable pieces.
Note: Creation and documentation of the Internet protocols closely resembles an academic research
project .The protocols are specified in documents called RFCs. RFCs are published, reviewed, and
analyzed by the Internet community
Application Layer Overview
File Transfer - TFTP *- FTP * - NFS
E-Mail
Application
- SMTP
Data Link
Physical *Used by the router
The common network applications today include file transfer, remote login, network management, and
e-mail.
We focus on TCP/IP in this course for several reasons :
TCP/IP is a universally available protocol and you will use it at work .
TCP/IP is a useful reference for understanding other protocols, because it includes elements that are
representative of other protocols .
TCP/IP is important because the router uses it as a configuration tool. The router uses Telnet for
remote configuration, TFTP to transfer configuration files and operating system images, and SNMP for
network management
26
Transport Layer Overview
.
Transmission Control
Application
Protocol (TCP) Connection-Oriented
. Transport
Connectionless
Internet User Datagram
Data Link Protocol (UDP)
Physical
TCP is one protocol within the protocol suite of TCP/IP. TCP is an acknowledged transport-layer
protocol. However, TCP has a large header so there is much overhead.
UDP is unacknowledged. By eliminating all of the acknowledgement mechanisms, UDP is fast and
efficient. UDP does not divide application data into pieces. Reliability is assumed to be handled by the
upper-layer protocols, by a reliable lower-layer protocol, or by an error-tolerant application. UDP does
have a smaller header and less overhead.
TCP Segment Format
Bit 0 Bit 15 Bit 16 Bit 31
Options (0 or 32 if any)
Data (varies)
Source Port and Destination Port are the connections to the upper-layer protocol.
Sequence and Acknowledgment numbers are the position in the user’s byte stream of this segment .
Sequence numbers are used for establishing reliability.
HLEN is the header length. It tells us where the data begins.
Six bits are reserved for future use.
Code Bits distinguish session management messages from data.
Window is a term we will come back to in a few slides. For now, consider it the size of the receivers
buffers.
Checksum is a cyclic redundancy check (CRC). It verifies that the datagram arrived intact.
27
Urgent Pointer is used to signify out-of-band data.
Options are used by vendors to enhance their protocol offering.
The data portion of the frame contains the upper-layer protocol data.
Port Numbers
Application
Layer
F T S D T S
R
T E M N F N
I
P L T S T M
P
N P P P
Transport E Port
21 23 25 53 69 161 520
Layer T Numbers
TCP UDP
These port numbers were standardized in RFC 1340. This RFC has been obsoleted by RFC 1700.
However, many of the port numbers outlined in RFC 1340 are still being used as standards .
It is possible to filter on TCP port numbers.
The TCP port number, combined with other information, is what UNIX C language developers call a
socket. However, work sockets have different meanings in XNS and Novell, where they are service
access point abstractions or programming interfaces rather than service access point identifiers
Source
Source Dest
Dest .. …
…
Port
Port Port
Port
Telnet Z
Host A Host Z
25
In most cases the TCP port number on one side of a conversation is the same on the other side. For
example, when a file transfer takes place, the software on one host is communicating with a peer
application on another host.
In this example we see a Telnet (TCP port 23) session. It is possible to have multiple Telnet sessions
running simultaneously on a host or router. Telnet selects an unused port number above 1023 to
represent the source port for each independent session. Notice that the destination port is still 23 .
Port numbering is important to understand in order to configure IP extended access lists. The lack of
symmetry in port number use is a critical factor in establishing effective security
TCP is a simple protocol in terms of connection establishment. Some protocols have dozens of
negotiation messages that are transmitted prior to session initialization.
TCP implements a strategy that is both necessary and sufficient..
Host A
Host A
Host B
Host B
Send
SendSYN
1
1 SYN
(seq=100
(seq=100ctl=SYN)
ctl=SYN) SYN
SYNreceived
received
Send 2
2
SendSYN,
SYN,ACK
ACK
SYN
SYNreceived (seq=300
received (seq=300ack=101
ack=101ctl=syn,ack)
ctl=syn,ack)
Host B sends an ACK and acknowledges the SYN it received from host A. Host B also sends a SYN.
Note that the acknowledgment field indicates host B is now expecting to hear sequence 101,
acknowledging the SYN that occupied sequence 100.
TCP Three Way Handshake/Open Connection
Host A Host B
1 Send SYN
( ctl
seq =100 =SYN) SYN
received
2
Send SYN, ACK
SYN received ( =
seq =300 ack =101 ctl syn,ack
)
3 Established
( = )
seq =101 ack =301 ctl ack
29
This sequence is like two people talking. The first person wants to talk to the second, so she says, “I
would like to talk with you.” (SYN.) The second person responds, “Good. I want to talk with you.”
(SYN, ACK.) The first person then says, “Fine—let us talk. Here is what I have to say.” (SYN, ACK,
DATA).
At this point either side can begin communicating and either side can break the connection. TCP is a
peer-to-peer (balanced) communication method (no primary/secondary .)
Note: This figure explains TCP connection establishment. For more information regarding the three-
way handshake in establishing a TCP connection, refer to RFC 793.
TCP Simple Acknowledgment
Sender Receiver
Sender Receiver
Window
Windowsize
size =
=11 ••
The window size is the number of messages transmitted before the sender must wait for an
acknowledgment. Window size was presented earlier in the course, so this slide is a review.
The initial state, no messages being sent.
TCP Simple Acknowledgment
Sender
Sender Receiver
Receiver
Sender
Sender Receiver
Receiver
Send
Send11 Receive
Receive11 Send
Send11 Receive
Receive11
Send
SendACK
ACK22
Receive
ReceiveACK
ACK22
Window size==11 ••
Windowsize Window size==11 ••
Windowsize
Data message 1 sent. (Send 1, Receive 1) ( Acknowledgment message 2 sent. (Send ACK 2,
Receive ACK 2)
Sender
Sender Receiver
Receiver
Send
Send11 Receive
Receive11
Send
SendACK
ACK22
Receive
ReceiveACK
ACK22
Send
Send22 Receive
Receive22
Window size==11 ••
Windowsize
39
Sender
Sender Receiver
Receiver Sender
Sender Receiver
Receiver
Send
Send11 Send
Send11
Receive
Receive11 Receive
Receive11
Send
SendACK
ACK22 Send
SendACK
ACK22
Receive
ReceiveACK
ACK22 Receive
ReceiveACK
ACK22
Send
Send22 Send
Send22
Receive
Receive22 Receive
Receive22
Send
SendACK
ACK33 Send
SendACK
ACK33
Receive
ReceiveACK
ACK33 Receive
ReceiveACK
ACK33
Send
Send33 Receive
Receive33
Window size==11 ••
Windowsize Window size==11 ••
Windowsize
Data message 2 sent. (Send 2, Receive 2) ACK for message 2. (Send ACK 3, Receive ACK 3)
Send 3, Receive 3.
Sender
Sender Receiver
Receiver
Send
Send11 Receive
Receive11
Send
SendACK
ACK22
Receive
ReceiveACK
ACK22
Send
Send22 Receive
Receive22
Send
SendACK
ACK33
Receive
ReceiveACK
ACK33
Send
Send33 Receive
Receive33
Receive Send
SendACK
ACK44
ReceiveACK
ACK44
Window size==11 ••
Windowsize
Source
Source Dest
Dest .. Sequence
Sequence Acknowledgement
Source
Source Dest.
Dest. Sequence
Sequence Acknowledgement …
… …
…
Source
Source Dest.
Dest. Sequence Acknowledgement
Sequence Acknowledgement
Acknowledgement …… Port
Port Port
Port ## ##
Port
Port
Port Port
Port
Port ### ###
Port Port # #
I Ijust
just I just
sent
sent#10.
#10. sent #10. I just got #10,
now I need #11.
31
TCP
TCP Sequence
Sequence and
and TCP
TCP Sequence
Sequence and
and
Acknowledgment Numbers
Acknowledgment Numbers Acknowledgment
Acknowledgment Numbers
Numbers
Source
Source Dest.
Dest. Sequence
Sequence Acknow
Acknow ledgement
ledgement
Source Dest. Source Dest. Sequence Acknow
Acknow ledgement …
…
Dest. Sequence
Sequence Acknow
Acknowledgement
Source Dest. Sequence ledgement …
Source ledgement … Port
Port Port
Port #
## #
## …
Port Port ## ## … Port
Port Port
Port # #
Port Port
I Ijust
just
I Ijust sent
sent
just sent#11.
#11. I Ijust
justgot
got#11,
#11,
sent#11.
#11. I Ijust
justgot
got#10,
#10, now I need #12.
now I need #12.
now
nowI Ineed
need#11.
#11.
Source Dest. Seq. Ack.
Source Dest. Seq. Ack.
Source Dest. Seq. Ack. 1028
1028 23
23 10
10 111
Source Dest. Seq. Ack. 1028
1028 23
23 10
10 1
1028 23 10 1 Source Dest. Seq. Ack.
1028 23 10 1 Source Dest. Seq. Ack.
Source Dest. Seq. Ack. 23
23 1028
1028 1
11 11
11
Source Dest. Seq. Ack. 23
23 1028
1028 1 11
11
23 1028 1 11 Source Dest. Seq. Ack.
23 1028 1 11 Source Dest. Seq. Ack.
Source Dest. Seq. Ack. 1028
1028 23
23 11
11 222
Source Dest. Seq. Ack. 1028
1028 23
23 11
11 2
1028 23 11 2 Source Dest. Seq. Ack.
1028 23 11 2 Source Dest. Seq. Ack.
23
23 1028
1028 22 12
12
23
23 1028
1028 2
2 12
12
TCP Windowing
This figure points out the benefit of a larger Layer 2 illustrates how the sending device
window size. Layer 1 is in the initial state, no defines its window buffer as 3 and sends
messages being sent. three bytes
Window size = 3
Sender Window
Sender Send 1 size = 3 Receiver
Receiver
Send 1
Window size = 3
Window
Send 2 size = 3
Send 2
Window size = 3
Sender Window
Sender Send 1 size = 3 Receiver
Receiver Window size = 3
Send 1 Window
Send 3 size = 3
Send 3 Packet
Packet33isis
ACK 3
Window size = 3 ACK 3 size = 2
Window
Window
Send 2 size = 3 Window size = 2 Dropped
Send 2 Dropped
Window size = 3
Window size = 3 Window
Send 3 size = 3
Window
Send 3 size = 3 Send 3
Send 3 Packet
Packet33isis
ACK 3 Window size = 3
ACK 3 size = 2 Window
Window
Window size = 2 Dropped Send 4 size = 3
Dropped Send 4
Window size = 3
32
Window size = 2
UDP Segment Format
Bit
1 0 Bit
Bit
1 0 Bit 15
15 Bit
Bit 16
16 Bit
Bit 31
31
Source Destination
Destination port
port (16)
Source port
port (16)
(16) (16) 8
8
Bytes
Bytes
Length
Length (16)
(16) Checksum
Checksum (16)
(16)
Data
Data (if
(if any)
any)
UDP is simple and efficient but not reliable. The UDP segment format includes a source port, a
destination port, a length field, and an optional checksum field. It has no sequencing,
acknowledgments, or windowing.
Example: TFTP uses a checksum. At the end of the transfer if the checksum does not match then the
file did not make it. The user is notified and must type in the command again. As a result, the user has
become the reliability mechanism.
Transition: The next section discusses the network layer of the OSI model and how it corresponds to
the TCP/IP internet layer.
Internet Layer Overview
Internet
Internet Protocol (IP)
Internet Protocol
Internet Protocol (IP)
Protocol (IP)
(IP)
Application
Application
Internet
Internet Control Message
Internet Control
Internet Control Message
Control Message
Message
Protocol
Protocol (ICMP)
Transport
Transport Protocol (ICMP)
Protocol (ICMP)
(ICMP)
Address
Address Resolution
Internet
Internet Address Resolution
Address Resolution
Resolution
Protocol
Protocol (ARP)
Protocol (ARP)
Protocol (ARP)
(ARP)
Data
Data Link
Link
Reverse
Reverse Address
Reverse Address
Reverse Address
Address
Resolution
Resolution Protocol (RARP)
Physical
Physical Resolution Protocol
Resolution Protocol (RARP)
Protocol (RARP)
(RARP)
•• OSI
OSI network
network layer
layer corresponds
corresponds to
to the
the
TCP/IP
TCP/IP internet
internet layer
layer
Routing protocols are usually considered layer-management protocols that support the network layer .
IP Datagram
Bit
1 0 Bit
Bit
1 0 Bit 15
15 Bit
Bit 16
16 Bit
Bit31
31
Version Header Priority
Version Header Priority && Type
Type Total
(4) Length
Length(4) of Total Length
Length(16)
(16)
(4) (4) of Service
Service (8)
(8)
Flags
Flags
Identification
Identification (16)
(16) (3) Fragment
Fragmentoffset
offset(13)
(13)
(3)
Time 20
Time to
to live
live (8)
(8) Protocol
Protocol (8)
(8) Header
Headerchecksum
checksum(16)
(16) 20
Bytes
Bytes
Source
Source IP
IP Address
Address (32)
(32)
Destination
Destination IP
IP Address
Address(32)
(32)
Options
Options (0
(0 or
or 32
32 if
if any)
any)
Data
Data (varies
(varies if
if any)
any)
The current generation of IP is version 4. We need the Header Length (HLEN) and the Total Length in
this example because the IP Options field allows a variable length .
33
Time-To-Live (TTL) is a countdown field. Every station must decrement this number by one or by the
number of seconds it holds onto the packet. When the counter reaches zero, the time to live expires and
the packet is dropped. TTL keeps packets from endlessly wandering the internet in search of
nonexistent destinations.
The next generation of IP (called IPng) is IP version 6. It is covered in RFC 1752.
Good references for this topic are Douglas Comer’s books on TCP/IP.
Protocol Field
Transport
Transport TCP UDP
UDP
Layer
Layer TCP
6 17 Protocol
Protocol
6 17 Numbers
Numbers
Internet
Internet
Layer IP
Layer IP
•• Determines
Determines destination
destination upper-layer
upper-layer protocol
protocol
Protocol numbers connect, or multiplex, IP to the transport layer. These numbers are standardized in
RFC 1700. Cisco uses these numbers in filtering with extended access lists.
Internet Control Message Protocol
Application
Application
Transport
Transport
Destination
Destination
1 Unreachable
Unreachable
1
ICMP
ICMP
Echo
Echo (Ping)
(Ping)
Internet
Internet
Other
Other
Data Link
Data Link
Physical
Physical
I need the
I need the
Ethernet
Ethernet
address of
address of
176.16.3.2.
176.16.3.2.
172.16.3.1 172.16.3.2
172.16.3.1 172.16.3.2
IP:
IP: 172.16.3.2
172.16.3.2 =
= ???
???
IP:
IP: 172.16.3.2
172.16.3.2 =
= ???
???
34
I need the
I need the I heard that broadcast.
Ethernet I heard that broadcast.
Ethernet The message is for me.
address of The message is for me.
address of Here is my Ethernet
176.16.3.2. Here is my Ethernet
176.16.3.2. address.
address.
172.16.3.1 172.16.3.2
172.16.3.1 172.16.3.2
IP:
IP: 172.16.3.2
172.16.3.2 =
= ???
???
IP:
IP: 172.16.3.2
172.16.3.2 =
= ???
???
host 172.16.3.2 is on the same wire and receives the ARP request message
I need the
I need the I heard that broadcast.
Ethernet I heard that broadcast.
Ethernet The message is for me.
address of The message is for me.
address of Here is my Ethernet
176.16.3.2. Here is my Ethernet
176.16.3.2. address.
address.
172.16.3.1 172.16.3.2
172.16.3.1 172.16.3.2
IP:
IP: 172.16.3.2
172.16.3.2 =
= ???
???
IP:
IP: 172.16.3.2
172.16.3.2 =
= ???
???
IP:
IP: 172.16.3.2
172.16.3.2
IP:
IP: 172.16.3.2
172.16.3.2
Ethernet:
Ethernet: 0800.0020.1111
0800.0020.1111
Ethernet:
Ethernet: 0800.0020.1111
0800.0020.1111
host 172.16.3.2 sends an ARP reply with its MAC address to host 172.16.3.1.
I Ineed
nee dthe
the I heard ththa
I hea rd at broadc ast.st.
t broa dca
Ethernet
Ethe rne t The
Themme
ess age
ssa geisis
for me.
for me .
addres s of
a ddre ss of Here isis
He re mymyEthernet
Ethe rne t
176.16.3.2.
176.16.3.2. addres s.
a ddre ss.
172.16.3.1
172.16.3.1 172.16.3.2
172.16.3.2
IP:
IP:
IP:172.16.3.2
172.16.3.2
IP: =
172.16.3.2
172.16.3.2==
=???
???
???
???
IP:
IP:
IP:172.16.3.2
172.16.3.2
IP: 172.16.3.2
172.16.3.2
Ethernet:
Ethernet:
Ethe
Etherne
rnet:0800.0020.1111
0800.0020.1111
t: 0800.0
0800.0020.11
020.1111
11
Ethernet
Ethernet Map IP• •
MapIP
•• Local
LocalARP
ARP
Reverse ARP
What is
What is
my IP
my IP
address?
address?
Ethernet:
Ethernet: 0800.0020.1111
0800.0020.1111 IP
IP =
= ???
???
Ethernet:
Ethernet: 0800.0020.1111
0800.0020.1111 IP
IP =
= ???
???
35
In layer 1, the host on the left needs its IP address. It sends a RARP request with its MAC address
I heard that
I heard that
broadcast.
What is broadcast.
What is Your IP
my IP Your IP
my IP address is
address? address is
address? 172.16.3.25.
172.16.3.25.
Ethernet:
Ethernet: 0800.0020.1111
0800.0020.1111 IP
IP =
= ???
???
Ethernet:
Ethernet: 0800.0020.1111
0800.0020.1111 IP
IP =
= ???
???
the host on the right, functioning as a RARP server, maps the MAC address to an IP address.
I heard that
I heard that
broadcast.
What is broadcast.
What is Your IP
my IP Your IP
my IP address is
address? address is
address? 172.16.3.25.
172.16.3.25.
Ethernet:
Ethernet: 0800.0020.1111
0800.0020.1111 IP
IP =
= ???
???
Ethernet:
Ethernet: 0800.0020.1111
0800.0020.1111 IP
IP =
= ???
???
Ethernet:
Ethernet: 0800.0020.1111
0800.0020.1111
Ethernet:
Ethernet: 0800.0020.1111
0800.0020.1111
IP:
IP: 172.16.3.25
172.16.3.25
IP:
IP: 172.16.3.25
172.16.3.25
the host on the right sends the IP address to the requester in a RARP reply message.
I heard that
I heard that
broadcast.
What is broadcast.
What is Your IP
my IP Your IP
my IP address is
address? address is
address? 172.16.3.25.
172.16.3.25.
Ethernet:
Ethernet: 0800.0020.1111
0800.0020.1111 IP
IP =
= ???
???
Ethernet:
Ethernet: 0800.0020.1111
0800.0020.1111 IP
IP =
= ???
???
Ethernet:
Ethernet: 0800.0020.1111
0800.0020.1111
Ethernet:
Ethernet: 0800.0020.1111
0800.0020.1111
IP:
IP: 172.16.3.25
172.16.3.25
IP:
IP: 172.16.3.25
172.16.3.25
IP
IP Map
Map Ethernet
Ethernet •
•
172.18.0.1 172.16.0.1
172.16.0.1
172.18.0.1
172.18.0.2
172.18.0.2 172.16.0.2
172.16.0.2
HDR
HDR SADA
SADADATA
DATA
10.13.0.0
10.13.0.0 192.168.1.0
192.168.1.0
10.13.0.1 172.17.0.1 172.17.0.2 192.168.1.1
192.168.1.1
10.13.0.1 172.17.0.1 172.17.0.2
–
– Unique
Unique addressing
addressing allows
allows communication
communication
between
between end end stations
stations
– Path choice is based on location
– Path choice is based on location
•• Location
Location is
is represented
represented by by an
an address
address
36
IP Addressing
32
32 bits
bits
Dotted
Dotted
Decimal Network
Network Host
Host
Decimal
Maximum
Maximum 255
255 255
255 255
255 255
255
32
32 bits
bits
Dotted
Dotted
Decimal Network
Network Host
Host
Decimal
Maximum
Maximum 255
255 255
255 255
255 255
255
1 8 17
1 8 9
9 16
16 17 24
24 25
25 32
32
Binary
Binary 11111111
11111111 11111111
11111111 11111111
11111111 11111111
11111111
6464
3232
1616
88
44
22
11
128
6464
3232
1616
128
88
44
22
11
6464
3232
1616
88
44
22
11
6464
3232
1616
128
88
44
22
11
128
128
128
128
128
32
32 bits
bits
Dotted
Dotted
Decimal Network
Network Host
Host
Decimal
Maximum
Maximum 255
255 255
255 255
255 255
255
1 8 17
1 8 9
9 16
16 17 24
24 25
25 32
32
Binary
Binary 11111111
11111111 11111111
11111111 11111111
11111111 11111111
11111111
128
6464
3232
1616
88
44
22
11
128
6464
3232
1616
88
44
22
11
128
6464
3232
1616
88
44
22
11
128
6464
3232
1616
88
44
22
11
128
128
128
128
Example
Example
Decimal
172
172 16
16 122
122 204
204
Decimal
Example
Example 10101100 00010000 01111010
Binary 10101100 00010000 01111010 11001100
11001100
Binary
37
IP Address Classes
8 8
8 bits 8
8 bits 8
8 bits
8 bits
bits bits bits bits
• Class A:
• Class A: Network
Network Host
Host Host
Host Host
Host
Network
Network Host
Host Host
Host Host
Host
• Class B: Network
Network Network
Network Host
Host Host
Host
• Class B: Network
Network Network
Network Host
Host Host
Host
• Class C: Network
Network Network
Network Network
Network Host
Host
• Class C: Network
Network Network
Network Network
Network Host
Host
Class D: Multicast
Class D: Multicast
• Class E: Research
• Class E: Research
Discuss classes of addresses. Each address contains information about the network number and the
host number of the device. Class A addresses are for very large organizations. Class B addresses are
for smaller organizations, and Class C addresses for even smaller ones.
As the number of networks grows, classes may eventually be replaced by another addressing
mechanism, such as classless interdomain routing (CIDR). RFC ,1467 Status of CIDR Deployment in
the Internet, presents information about CIDR. RFC 1817, CIDR and Classful Routing, also presents
CIDR information.
IP Address Classes
Bits: 11 8
8 99 16
16 17
17 24
24 25
25 32
32
Bits:
0NNNNNNN
0NNNNNNN
0NNNNNNN Host
Host
Host Host
Host
Host Host
Host
Host
Class 0NNNNNNN Host Host Host
Class A:
A: Range (1-126)
Range (1-126)
Bits: 1
1 8
8 99 16
16 17
17 24
24 25
25 32
32
Bits:
10NNNNNN
10NNNNNN
10NNNNNN Network
Network
Network Host
Host
Host Host
Host
Host
Class 10NNNNNN Network Host Host
Class B:
B: Range
Range (128-191)
(128-191)
11 88 99 16
16 17
17 24
2425
25 32
32
Bits:
Bits:
110NNNNN
110NNNNN
110NNNNN Network
Network
Network Network
Network
Network Host
Host
Host
Class 110NNNNN Network Network Host
Class C:
C: Range
Range (192-223)
(192-223)
11 88 99 16
16 17
17 24
2425
25 32
32
Bits:
Bits:
1110MMMM
1110MMMM
1110MMMM
Multicast
Multicast
Multicast
Group
Group Multicast
Multicast Group
Multicast Group
Group Multicast
Group Multicast
Multicast Group
Multicast Group
Group Multicast
Group
Multicast Group
Class 1110MMMM
Class D:
Group
D: Range
Range (224-239)
(224-239)
172.16.2.1
172.16.2.1 10.1.1.1
10.1.1.1
10.6.24.2
10.6.24.2
E1
E1
172.16.3.10 E0
E0 10.250.8.11
172.16.3.10 10.250.8.11
172.16.2.1
172.16.2.1
172.16.12.12
172.16.12.12 10.180.30.118
10.180.30.118
Routing Table
Routing Table
172.16 .. 12 Network Interface
172.16 12 .. 12
12 Network Interface
Network
Network Host
Host 172.16.0.0
172.16.0.0
E0
E0
10.0.0.0 E1
10.0.0.0 E1
In the example, 172.16.0.0 and 10.0.0.0 refer to the wires at each end of the router .
Explain how the routing table is used. Entries in the routing table refer to the network only. The router
does not know the location of hosts—it knows the location of networks.
35
Determining Available Host Addresses
Network
Network Host
Host
172
172 16
16 0
0 0
0
N
1616
1515
1414
1313
1212
1111
1010
99
88
77
66
55
44
33
22
11
N
10101100
10101100 00010000
00010000 00000000
00000000 00000000
00000000 1
1
00000000
00000000 00000001
00000001 2
2
00000000
00000000 00000011
00000011 3
3
......
......
......
11111111
11111111 11111101
11111101 65534
65534
11111111 11111110
11111111 11111110 65535
65535
11111111 11111111
11111111 11111111 65536
65536
-- 22
2 N 16
46
46
2N-2-2 =
=2216-2
-2 =
= 65534
65534 65534
65534
2N-2 is the calculation to determine available hosts. N is the number of binary digits in the host field.
Subtract 2 because a host cannot be all 0s or 1s.
The same principal applies when determining the number of available networks.
IP Address Classes Exercise
Address
Address Class
Class Network
Network Host
Host
10.2.1.1
10.2.1.1
128.63.2.100
128.63.2.100
201.222.5.64
201.222.5.64
192.6.141.2
192.6.141.2
130.113.64.16
130.113.64.16
256.241.201.10
256.241.201.10
This exercise verifies that the students understand IP address classes, network numbers, and host
numbers.
Give the students time to list the address class, network, and host number for each IP address in the
table. Review the correct answers interactively.
The answers are given in the following figure
IP Address Classes Exercise Answers
Address
Address Class Network Host
Class Network Host
10.2.1.1
10.2.1.1 A
A 10.0.0.0
10.0.0.0 0.2.1.1
0.2.1.1
128.63.2.100
128.63.2.100 B
B 128.63.0.0
128.63.0.0 0.0.2.100
0.0.2.100
201.222.5.64 C 201.222.5.0 0.0.0.64
201.222.5.64 C 201.222.5.0 0.0.0.64
256.241.201.10 Nonexistent
256.241.201.10 Nonexistent
39
Addressing without Subnets
…...
…...
172.16.0.0
172.16.0.0
Network 172.16.0.0 •
Network 172.16.0.0 •
172.16.3.0
172.16.3.0
. 172.16.4.0
172.16.4.0
172.16.1.0
172.16.1.0 172.16.2.0
172.16.2.0
Network 172.16.0.0 •
Network 172.16.0.0 •
The host bits of an IP address can be subdivided into a subnetwork section and a host section. The
subnetwork section in this example is the full third octet.
Point out the difference in the addressing between the previous slide and this slide.
A subnetted address space is like a highway with exits.
A network device uses a subnet mask to determine what part of the IP address is used for the network,
the subnet, and the device ID .
A subnet mask is a 32-bit value containing a number of one bits for the network and subnet ID and a
number of zero bits for the host ID .
Given its own IP address and subnet mask, a device can determine if an IP packet is destined for 1) a
device on its own subnet, 2) a device on a different subnet on its own network, or 3) a device on a
different network .
A device can determine what class of address the device has been assigned from its own IP address.
The subnet mask then tells the device where the boundary is between the subnet ID and the host ID.
49
Subnet Addressing
172.16.2.200
172.16.2.200 172.16.3.5
172.16.3.5
172.16.3.1
172.16.3.1
E1
E1
172.16.2.2 E0
E0 172.16.3.100
172.16.2.2 172.16.2.1 172.16.3.100
172.16.2.1
172.16.2.160
172.16.2.160 172.16.3.150
172.16.3.150
If networks could not be broken down into more granular, subnetworks few networks could exist, each
with a capacity for many hosts
Subnet Addressing
.
172.16.2.200
172.16.2.200 172.16.3.5
172.16.3.5
172.16.3.1
172.16.3.1
E1
E1
172.16.2.2 E0
E0 172.16.3.100
172.16.2.2 172.16.3.100
172.16.2.1
172.16.2.1
172.16.2.160
172.16.2.160 172.16.3.150
172.16.3.150
New
New Routing
Routing Table
Table
172.16 .. 2 .. 160 Network
Network Interface
Interface
172.16 2 160
Network
Network Subnet
Subnet Host
Host 172.16.2.0
172.16.2.0 E0
E0
172.16.3.0 E1
172.16.3.0 E1
By turning on more bits in the mask, we reserve some bits as network information and can use
these bits to describe subnetworks .
Describe how the router makes use of this technique. Point out that there is more information
in the routing table now.
Note: As you enter the discussion about subnet masks, a question might arise about whether it
is legal to define a discontiguous subnet mask. A discontiguous subnet mask consists of
intervening zeros, as in 101111011000, rather than all ones followed by zeros, as in
1111111100000000. The question has two answers. According to RFC 950 that describes IP, a
discontiguous subnet mask is legal. However, the hardware expense to produce an interface
that supports discontiguous masking is cost-prohibitive. Thus in practice it is not supported on
most vendors’ equipment, including Cisco. Also, discontiguous masking has no benefit, and it
is much more difficult to maintain a network based on this design. Later RFCs make
noncontiguous subnet masks illegal because they are incompatible with future addressing
schemes such as CIDR.
Subnet Mask
Network
Network Host
Host
IP
IP
Address
172
172
172 16
16
16 0
0
0 0
0
0
Address
Network
Network Host
Host
Default
Default
Subnet
Subnet
Mask
255
255
255 255
255
255 0
0
0 0
0
0
Mask 11111111 11111111 00000000 00000000
11111111 11111111 00000000 00000000
Also
Also written as “/16”
written as “/16” where
where 16
16 represents
represents the
the number
number of
of 1s
1s
in
in the
the mask.
mask.
Network
Network Subnet
Subnet Host
Host
8-bit
8-bit
Subnet
Subnet
255
255
255
255 255
255
255
255 255
255
255
255 0
0
0
0
Mask
Mask Also
Also written as “/24”
written as “/24” where
where 24
24 represents
represents the
the number
number of
of 1s
1s
in
in the
the mask.
mask.
41
Turn on more bits to represent subnets.
Compare the default or standard subnet mask with the subnet mask in the slide.
These are the rules for IP addressing:
An address is 32 bits, divided into three components :
First octet rule bits
Network bits (path selection bits)
Node bits
The first octet rule states that the most significant bit pattern in the first octet determines the
class of the address.
Path selection bits cannot be all ones or zeros.
Certain addresses are reserved. RFC 1918 defines some of those.
Prefix or mask one bits are path selection significant; zero bits are host bits and therefore not
significant.
Use the logical AND to combine the address and mask bits to get the subnet address.
The maximum number of available subnets equals 2 prefix bits - 2; the maximum number of
available hosts equals 2 32- prefix bits
.
Decimal Equivalents of Bit Patterns
128
128 64
64 32
32 16
16 8
8 4
4 2
2 1
1
1
1 0
0 0
0 0
0 0
0 0
0 0
0 0
0 =
= 128
128
1
1 1
1 0
0 0
0 0
0 0
0 0
0 0
0 =
= 192
192
1
1 1
1 1
1 0
0 0
0 0
0 0
0 0
0 =
= 224
224
1
1 1
1 1
1 1
1 0
0 0
0 0
0 0
0 =
= 240
240
1
1 1
1 1
1 1
1 1
1 0
0 0
0 0
0 =
= 248
248
1
1 1
1 1
1 1
1 1
1 1
1 0
0 0
0 =
= 252
252
1
1 1
1 1
1 1
1 1
1 1
1 1
1 0
0 =
= 254
254
1
1 1
1 1
1 1
1 1
1 1
1 1
1 1
1 =
= 255
255
Network
Network Host
Host
172.16.2.160
172.16.2.160 10101100 00010000 00000010 10100000
172.16.2.160
172.16.2.160 10101100 00010000 00000010 10100000
255.255.0.0
255.255.0.0 11111111 11111111 00000000 00000000
255.255.0.0
255.255.0.0 11111111 11111111 00000000 00000000
10101100 00010000 00000000 00000000
10101100 00010000 00000000 00000000
Network
Network 172 16 0 0
Number 172 16 0 0
Number
Subnets
Subnets not
not in
in use—the default ••
use—the default
42
Explain how masking works at the bit level. Zero bits mask host information.
Note: This is an easy place to lose students. At this point, they need to learn several abstract
mathematical concepts before we can show them how to lay out an IP-addressed network. To
the novice these techniques may seem unrelated, making the presentation confusing. To a more
experienced audience, these techniques will be familiar.
Subnet Mask with Subnets
Network
Network Subnet
Subnet Host
Host
172.16.2.160
172.16.2.160
172.16.2.160
172.16.2.160 10101100
10101100 00010000
00010000 00000010
00000010 10100000
10100000
255.255.255.0
255.255.255.0 11111111
11111111 11111111
11111111 11111111
11111111 00000000
00000000
255.255.255.0
255.255.255.0
10101100
10101100 00010000
00010000 00000010
00000010 00000000
00000000
128128
192192
224224
240240
248248
252252
254254
255255
Network
Network
Number
Number 172
172 16
16 2
2 0
0
Network
Network number
number extended
extended by
by eight
eight bits
bits •
•
This example makes a Class B address space look like a collection of Class C address spaces.
Now the logical AND allows us to extract the subnet number as well as the assigned network
number.
An exercise follows that tests the students’ understanding of subnet masks.
Subnet Mask with Subnets (cont.)
Network
Network Subnet
Subnet Host
Host
172.16.2.160
172.16.2.160
172.16.2.160 10101100
10101100 00010000
00010000 00000010
00000010 10100000
10100000
172.16.2.160
255.255.255.192
255.255.255.192 11111111
11111111 11111111
11111111 11111111
11111111 11000000
11000000
255.255.255.192
255.255.255.192
10101100
10101100 00010000
00010000 00000010
00000010 10000000
10000000
128128
192192
224224
240240
248248
252252
254254
255255
128128
192192
224224
240240
248248
252252
254254
255255
Network
Network
Number
Number 172
172 16
16 2
2 128
128
Network
Network number
number extended
extended by
by ten
ten bits
bits •
•
This example is different from the previous example in that the the subnet and host are divided
within an octet.
Transition: An exercise follows that tests the students’ understanding of subnet masks
Subnet
Subnet Mask
Mask Exercise
Exercise
.
Address Subnet Mask Class Subnet
Address Subnet Mask Class Subnet
172.16.2.10 255.255.255.0
172.16.2.10 255.255.255.0
10.6.24.20 255.255.240.0
10.6.24.20 255.255.240.0
10.30.36.12 255.255.255.0
10.30.36.12 255.255.255.0
This exercise is for the students to take the given IP addresses and associated subnet masks and
perform a logical AND to extract the subnet number. Provide time in class and review the
answers after the majority of students have finished.
The answers are given in the following figure
43
Subnet Mask Exercise Answers
Broadcast Addresses
172.16.3.0
172.16.3.0
172.16.4.0
172.16.4.0
172.16.1.0
172.16.1.0
172.16.3.255 172.16.2.0
172.16.2.0
172.16.3.255
(Directed
(Directed broadcast)
broadcast)
(Local
255.255.255.255
255.255.255.255 X
X
(Local network
network broadcast)
broadcast)
172.16.255.255
172.16.255.255
(All
(All subnets broadcast)
subnets broadcast)
A range of addresses is needed to allocate address space. A valid range of addresses is between
subnet zero and the directed broadcast.
These RFCs provide more information about broadcasts:
RFC 919, Broadcasting Internet Datagrams
RFC 922, Broadcasting IP Datagrams in the Presence of Subnets
Cisco’s support for broadcasts generally complies with these two RFCs. It does not support
multisubnet broadcasts that are defined in RFC 922.
Addressing Summary Example
172
172 16
16 2
2 160
160
172.16.2.160 10101100
10101100 00010000
00010000 00000010
00000010 10100000
10100000 Host
Host 1
172.16.2.160 1
255.255.255.192 Mask
Mask
255.255.255.192
Subnet
Subnet 4
4
Broadcast
Broadcast
First
First
Last
Last
172
172 16
16 2
2 160
160
172.16.2.160 10101100
10101100 00010000
00010000 00000010
00000010 10100000
10100000 Host
Host 1
172.16.2.160 1
255.255.255.192
255.255.255.192 11111111
11111111 11111111
11111111 11111111
11111111 11000000
11000000 Mask
Mask 2
2
Subnet
Subnet
Broadcast
Broadcast
First
First
Last
Last
44
Addressing Summary Example
172
172 16
16 2
2 160
160
3
3
172.16.2.160 10101100
10101100 00010000
00010000 00000010
00000010 10100000
10100000 Host
Host 1
172.16.2.160 1
255.255.255.192
255.255.255.192 11111111
11111111 11111111
11111111 11111111
11111111 11000000
11000000 Mask
Mask 22
Subnet
Subnet
Broadcast
Broadcast
First
First
Last
Last 77
172
172 16
16 2
2 160
160
3
3
172.16.2.160 10101100
10101100 00010000
00010000 00000010
00000010 10100000
10100000 Host
Host 1
172.16.2.160 1
255.255.255.192
255.255.255.192 11111111
11111111 11111111
11111111 11111111
11111111 11000000
11000000 Mask
Mask 2
2
10000000
10000000 Subnet
Subnet 4
4
Broadcast
Broadcast
First
First
Last
Last
172
172 16
16 2
2 160
160
3
3
172.16.2.160 10101100
10101100 00010000
00010000 00000010
00000010 10100000
10100000 Host
Host 1
172.16.2.160 1
255.255.255.192
255.255.255.192 11111111
11111111 11111111
11111111 11111111
11111111 11000000
11000000 Mask
Mask 2
2
10000000
10000000 Subnet
Subnet 4
4
10111111
10111111 Broadcast
Broadcast
5
5
First
First 6
6
Last
Last
fill in ones beyond the vertical line for the broadcast address
Addressing Summary Example
172
172 16
16 2
2 160
160
3
3
172.16.2.160 10101100
10101100 00010000
00010000 00000010
00000010 10100000
10100000 Host
Host 1
172.16.2.160 1
255.255.255.192 11111111
11111111 11111111
11111111 11111111 11000000
11000000 Mask
Mask 2
255.255.255.192 11111111 2
10000000 Subnet 4
10000000 Subnet 4
10111111
10111111 Broadcast
Broadcast
5
5
10000001
10000001 First
First 6
6
Last
Last
45
fill in 0s beyond the vertical line except for the last bit. Make that bit a 1. This is the first usable host
address.
Addressing Summary Example
172
172 16
16 2
2 160
160
3
3
172.16.2.160 10101100
10101100 00010000
00010000 00000010
00000010 10100000
10100000 Host
Host 1
172.16.2.160 1
255.255.255.192
255.255.255.192 11111111
11111111 11111111
11111111 11111111
11111111 11000000
11000000 Mask
Mask 2
2
10000000 Subnet 4
10000000 Subnet 4
10111111
10111111 Broadcast
Broadcast
5
5
10000001
10000001 First
First 6
6
10111110
10111110 Last
Last 7
7
fill in 1s beyond the vertical line except for the last bit. Make that bit a 0. This is the last usable
host address.
Addressing Summary Example
172
172 16
16 2
2 160
160
3
3
172.16.2.160 10101100
10101100 00010000
00010000 00000010
00000010 10100000
10100000 Host
Host 1
172.16.2.160 1
255.255.255.192 11111111
11111111 11111111
11111111 11111111 11000000
11000000 Mask
Mask 2
255.255.255.192 11111111 2
8
8
10101100
10101100 00010000
00010000 00000010
00000010 10000000
10000000
Subnet
Subnet
4
4
10101100
10101100 00010000
00010000 00000010
00000010 10111111
10111111 Broadcast
Broadcast
5
5
10101100
10101100 00010000
00010000 00000010
00000010 10000001
10000001 First
First 6
6
10101100
10101100 00010000
00010000 00000010
00000010 10111110 Last 7
10111110 Last 7
copy the binary network and subnetwork address from the top row into the lower rows .
Addressing Summary Example
172
172 16
16 2
2 160
160
3
3
172.16.2.160 10101100
10101100 00010000
00010000 00000010
00000010 10100000
10100000 Host 1
172.16.2.160 Host 1
255.255.255.192 11111111
11111111 11111111
11111111 11111111 11000000 Mask
11000000 Mask 2
255.255.255.192 11111111 2
9 8
9 8
172.16.2.128 10101100 00010000 00000010 10000000 Subnet 4
172.16.2.128 10101100 00010000 00000010 10000000 Subnet 4
172.16.2.191 10101100 00010000 00000010 10111111 Broadcast
172.16.2.191 10101100 00010000 00000010 10111111 Broadcast
5
5
172.16.2.129 10101100 00010000 00000010 10000001 First 6
172.16.2.129 10101100 00010000 00000010 10000001 First 6
172.16.2.190 10101100 00010000 00000010 10111110 Last 7
172.16.2.190 10101100 00010000 00000010 10111110 Last 7
46
Class B Subnet Planning
20 subnets
5 hosts per subnet
192 . 168 . 5 . 16
Other Class C address:
subnets 192 . 168 . 5 . 0
What if this were a Class B address? How many bits would we have for subnetting then? Where
do you want to draw the line now?
Alternatives to review: Creating the subnet at the octet boundary is easier to work with—more
host bits and more subnet bits.
Explain that the decision is really a guess on how you think your network will grow—will it have
more subnets or more hosts?
RFC 1219 Mirroring: Mirroring hedges the subnetting decision by buying time. Do not use
mirroring if you intend to use route summarization or variable-length subnet masking (VLSM);
they are incompatible with mirroring.
IP
IP Host
Host Address:
Address: 192.168.5.121
192.168.5.121
Subnet
Subnet Mask:
Mask: 255.255.255.248
255.255.255.248
Network
Network Network
Network Network
Network Subnet
Subnet Host
Host
192.168.5.121:
192.168.5.121: 11000000
11000000 10101000
10101000 00000101
00000101 01111001
01111001
255.255.255.248:
255.255.255.248: 11111111
11111111 11111111
11111111 11111111
11111111 11111000
11111000
Subnet:
Subnet: 11000000
11000000 10101000
10101000 00000101
00000101 01111000
01111000
Broadcast:
Broadcast: 11000000
11000000 10101000
10101000 00000101
00000101 01111111
01111111
•• Subnet
Subnet Address
Address == 192.168.5.120
192.168.5.120
•• Host
Host Addresses
Addresses = = 192.168.5.121–192.168.5.126
192.168.5.121–192.168.5.126
•• Broadcast
Broadcast Address
Address =
= 192.168.5.127
192.168.5.127
•• Five
Five Bits
Bits of
of Subnetting
Subnetting
Contrast the Class C network subnet mask with the previous Class B example.
Broadcast Addresses Exercise
Address
Address Subnet
Subnet Mask
Mask Class
Class Subnet
Subnet Broadcast
Broadcast
201.222.10.60
201.222.10.60 255.255.255.248
255.255.255.248
15.16.193.6
15.16.193.6 255.255.248.0
255.255.248.0
128.16.32.13
128.16.32.13 255.255.255.252
255.255.255.252
153.50.6.27
153.50.6.27 255.255.255.128
255.255.255.128
47
Have the students calculate the subnet numbers and the broadcast address for each subnet from the
given IP addresses and subnet masks.
Broadcast Addresses Exercise Answers
Address
Address Subnet
Subnet Mask
Mask Class
Class Subnet
Subnet Broadcast
Broadcast
201.222.10.60
201.222.10.60 255.255.255.248
255.255.255.248 C
C 201.222.10.56
201.222.10.56 201.222.10.63
201.222.10.63
15.16.193.6
15.16.193.6 255.255.248.0
255.255.248.0 A
A 15.16.192.0
15.16.192.0 15.16.199.255
15.16.199.255
128.16.32.13
128.16.32.13 255.255.255.252
255.255.255.252 B
B 128.16.32.12
128.16.32.12 128.16.32.15
128.16.32.15
153.50.6.27
153.50.6.27 255.255.255.128
255.255.255.128 B
B 153.50.6.0
153.50.6.0 153.50.6.127
153.50.6.127
Fast
Fast
E0/0 Router
Router on
on
E0/0
aa stick
ISL
ISL stick
VLAN VLAN
VLAN 2
VLAN 1
1 2
Application
Application
TCP
TCP
IP
IP
10.1.1.2
10.1.1.2 10.2.2.2
10.2.2.2 ISL
ISL
Ethernet
Ethernet
Network
Network layer
layer devices
devices combine
combine multiple
multiple broadcast
broadcast domains
domains
75
75
The VLANs are on different networks. Without a network layer device the could not
communicate.
Review the protocols operating at each of the OSI layers
Dividing a Physical Interface into Subinterfaces
FastEthernet
FastEthernet 0/0
0/0
FastEthernet
FastEthernet 0/0.1
0/0.1
FastEthernet
FastEthernet 0/0.2
0/0.2
FastEthernet
FastEthernet 0/0.3
0/0.3
Physical
Physical interfaces
interfaces can
can be
be divided
divided into
into multiple
multiple •
•
subinterfaces
subinterfaces
76
76
At this point, it is important for students t understand that if they want to connect multiple
VLANs, they need a separate connection for each VLAN. This can be accomplished by
establishing a physical connection for each VLAN that will interconnect with other VLANs or by
splitting a trunk into multiple, logical subinterfaces.
45
Routing Between VLANs
Fast
Fast
E0/0
E0/0
ISL
ISL
VLAN VLAN
VLAN 2
VLAN 1
1 2
ii nntt eerrff aaccee ff aasstt eett h e rrn
he e tt 00// 00
ne
nnoo ii p p aad d r eessss
ddr
!!
ii nntt eerrff aaccee ff aasstt eett h e rrn
he e tt 00// 00. . 11
ne
10.1.1.2 10.2.2.2 ii p
10.1.1.2 10.2.2.2 p aad d r eessss 1100.. 11.. 11.. 11 225555.. 225555.. 225555.. 00
ddr
een c a p s u l a t i o n
nc a ps ul a t i o n i s l i s l 11
ii nntt eerrff aaccee ff aasstt eett h e rrn
he e tt 00// 00. . 22
ne
ii pp aad d r eessss 1100.. 22.. 22.. 11 225555.. 225555.. 225555.. 00
ddr
een c a p s u l a t i o n
nc a ps ul a t i o n i s l i s l 22
77
77
ISL S0
S0
ISL
172.16.1.1
172.16.1.1 172.16.1.2
172.16.1.2
VLAN
VLAN 1
1 VLAN
VLAN 2
2
This figure shows that the same principals apply when interconnecting WANs.
Note: HDLC is used in this example because it is on by default. Students just need to know that it is
Cisco’s default serial layer 2 encapsulation.
49
Introducing IP Addresses
Introducing IP Addresses
© 1 -1
© — -2
59
High light the fixed values that start each class address.
The first octet rule states that when an address falls into a specified range, it belongs to a
certain class. Students should soon be able to recognize the address class of any IP address on
sight.
Note: If time or interest permits, you can use the initial bit patterns in the first octet and show
how a class of IP network derives the range of network numbers for that IP address class.
Host Addresses
© ICND v2.0 — 1 -4
In the example, 172.16.0.0 and 10.0.0.0 refer to the wires at each end of the router .
Explain how the routing table is used. Entries in the routing table refer to the network only.
The router does not know the location of hosts; it knows the location of networks.
Addressing Without Subnets
.
© ICND v2.0 — 1 -5
© — 1 -6
51
The host bits of an IP address can be subdivided into a subnetwork section and a host section.
The subnetwork section in this example is the full third octet.
Point out the difference in the addressing between the previous slide and this slide.
A subnetted address space is like a highway with exits.
A network device uses a subnet mask to determine what part of the IP address is used for the
network, the subnet, and the device ID .
A subnet mask is a 32-bit value containing a number of one bits for the network and subnet ID,
and a number of zero bits for the host ID .
Given its own IP address and subnet mask, a device can determine if an IP packet is destined
for 1) a device on its own subnet, 2) a device on a different subnet on its own network, or 3) a
device on a different network .
A device can determine what class of address the device has been assigned from its own IP
address. The subnet mask then tells the device where the boundary is between the subnet ID
and the host ID
Subnet Addressing
© ICND v2.0 — 1 -7
By turning on more bits in the mask, we reserve some bits as network information and can use these
bits to describe subnetworks .
Describe how the router makes use of this technique. Point out that there is more information in the
routing table now.
Subnet Mask
Turn on more bits to represent subnets.Compare the default or standard subnet mask with the subnet
mask in the slide.The following are the rules for IP addressing:
An address is 32 bits, divided into three components :First octet rule bitsNetwork bits (path selection
bits)Node bitsThe first octet rule states that the most significant bit pattern in the first octet determines
the class of the address.Path selection bits cannot be all ones or zeros.Certain addresses are reserved.
RFC 1918 defines some of those.Prefix or mask one bits are path selection significant; zero bits are
52
host bits and therefore not significant.Use the logical AND to combine the address and mask bits to get
the subnet address.
The maximum number of available subnets equals 2 prefix bits - 2; the maximum number of available
hosts equals 2 32- prefix bits - 2.
© 1 -9
© 2002, Cisco Systems, Inc. All rights reserved. ICND v2.0 — 1 -10
Explain how masking works at the bit level. Zero bits mask host information.
Note: This is an easy place to lose students. At this point, they need to learn several abstract
mathematical concepts before we can show them how to lay out an IP-addressed network. To the
novice, these techniques may seem unrelated, making the presentation confusing. To a more
experienced audience, these techniques will be familiar.
53
Subnet Mask with Subnets
©
Network number extended by eight bits — 1-
This example makes a Class B address space look like a collection of Class C address spaces.
Now the logical AND allows us to extract the subnet number as well as the assigned network number.
An exercise follows that tests the students’ understanding of subnet masks.
Subnet Mask with Subnets (Cont.)
•
Network number extended by ten bits
© ICND v2.0 — 1 -12
This example is different from the previous example in that the the subnet and host are divided within
an octet.
Transition: An exercise follows that tests the students’ understanding of subnet masks.
Network Device Configuration
Configuration sets up the device with:
- Network policy of the functions required
-Protocol addressing and parameter settings
- Options for administration and management
Catalyst switch memory has initial configuration
with default settings
Cisco router will prompt for initial configuration if
there is no configuration in memory
An Overview of Cisco Device Startup
•• Find
Find and
and check
check device
device hardware
hardware
•• Find
Find and
and load
load Cisco
Cisco IOS
IOS software
software image
image
•• Find
Find and
and apply
apply device
device configurations
configurations
54
Paraphrase or restate the three points and make sure your students follow the description. This
description is necessary to keep a common perspective of what is occurring on first the switch and then
the router; these three steps should be an anchor to return to as needed .
This overview of what happens with Cisco network device start up transitions to the next topic: Where
are the sources for configuration software ?
The network device can be configured from several locations. After you create the initial
configuration, you can configure the ports or interfaces to enable configuration over virtual terminals
ports (VTY.)
Both router and switch support telnet access as a virtual terminal .
The router by default, supports virtual terminals 0 through 4. That means that router can be accessed
for configuration purposes from the console port, the auxiliary port, and five VTY lines at the same
time—up to seven people can configure the router at once .
You should caution students about the above point and inform them that security should be strictly
observed through password protection to avoid unauthorized access of the configuration files .
Another component important to configuration in the network is a TFTP server.
The TFTP server can be a UNIX or PC workstation that acts as a central depository for files .
You can keep configuration files on the TFTP server and then download them to the device .
You can also configure the from a network management station running network management
software such as CWSI, CiscoWorks or HP OpenView. Before you can access or change the
configuration from a virtual terminal, TFTP server, or network management station, you must have the
device configured to support IP traffic .
Cisco IOS User Interface Fundamentals
*Uses a command line interface
*Operations vary on different internetworking devices
*Type or paste entries in the console command modes
*Enter key instructs device to parse and execute the command
*Two primary EXEC modes are user mode and privileged mode
*Command modes have distinctive prompts
Cisco IOS Software EXEC
There are two main EXEC modes for entering commands.
First mode:
User Mode
*Limited examination of switch or router
*Command Prompt is hostname>
The Cisco IOS Software EXEC (cont.)
Second mode (and most commonly used):
Privileged (or enabled) Mode
55
*Detailed examination of switch or router
*Enables configuration and debugging
*Prerequisite for other configuration modes
*Command prompts on the device
hostname#
Initial Start up of the Catalyst Switch
*System startup routines initiate switch software
*Initial startup uses default configuration parameters
1. Before you start the switch, verify the cabling and console connection
2. Attach the power cable plug to the switch power supply socket
3. Observe the boot sequence
*LEDs on the switch chassis
*Cisco IOS software output text
Checking Switch LED Indicators
56
Logging into the Switch and Entering the Enable Password
Consol
e
Switch#show interfaces
57
27 Fixed Ethernet/IEEE 802.3 interface(s)
Base Ethernet Address: 00-50-BD-73-E2-C0
wg_sw_c#show run
This page shows the format and output of the show running-config on the 1912 and 1924. There is a
slide in chapter 6 that covers the port numberings on the Cat 1912
55
Showing the Switch IP Address
wg_sw_a#show ip
IP Address: 10.5.5.11
Subnet Mask: 255.255.255.0
Default Gateway: 10.5.5.3
Management VLAN: 1
Domain name:
Name server 1: 0.0.0.0
Name server 2: 0.0.0.0
HTTP server : Enabled
HTTP port : 80
RIP : Enabled
wg_sw_a#
Console
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[ ]'.
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Basic management setup configures only enough connectivity
for management of the system, extended setup will ask you
to configure each interface on the system
Would you like to enter basic management setup? [yes/no]: n
69
Setup Global Parameters
Configuring global parameters:
Enter host name [Router]:MONA
The enable secret is a password used to protect access to
privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: cisco
The enable password is used when you do not specify an
enable secret password, with some older software versions, and
some boot images.
Enter enable password: sanfran
The virtual terminal password is used to protect
access to the router over a network interface.
Enter virtual terminal password: sanjose
Configure SNMP Network Management? [no]:
61
Configure Vines? [no]:
Configure XNS? [no]:
Configure Apollo? [no]:
62
Logging into the Router
MONA con0 is now available
Press RETURN to get started.
MONA>
MONA>enable
MONA#
MONA#disable
MONA>
MONA>logout
Router User Mode Command List
MONA>?
Exec commands:
access-enable Create a temporary Access-List entry
atmsig Execute Atm Signalling Commands
cd Change current device
clear Reset functions
connect Open a terminal connection
dir List files on given device
disable Turn off privileged commands
disconnect Disconnect an existing network connection
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
lat Open a lat connection
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
-- More --
You can abbreviate a command to the fewest characters that make a unique character string
Router Privileged Mode Command List
MONA#?
Exec commands:
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
access-template Create a temporary Access-List entry
bfe For manual emergency modes setting
cd Change current directory
clear Reset functions
clock Manage the system clock
configure Enter configuration mode
connect Open a terminal connection
copy Copy from one file to another
debug Debugging functions (see also 'undebug')
delete Delete a file
dir List files on a filesystem
disable Turn off privileged commands
disconnect Disconnect an existing network connection
enable Turn on privileged commands
erase Erase a filesystem
exit Exit from the EXEC
help Description of the interactive help system
-- More --
63
Router Command Line Help Facilities
Context-Sensitive Help Console Error Messages
Provides a list of commands and the Identify problems with router commands
arguments associated incorrectly entered so that you can alter or
with a specific command. correct them.
MONA# cl?
• Symbolic translation
clear clock
MONA# clock
% Incomplete command. • Command prompting
MONA# clock ?
• Last command recall
set Set the time and date
clock
MONA#
MONA# clock set 19:56:00 ? • Command
<1-31> Day of the month prompting
MONA#
•
MONTH Month of the year
% Incomplete Syntax
command.
Router# clock set 19:56:00 04 8
^
checking
Rout
set er
Set the time % Invalid input detected at the '^' marker
#
and date • Command
MONA MONA# clock set 19:56:00 04 August
prompting
#
% Incomplete
command. % Incomplete command.
MONA# clock set 19:56:00 04 August ?
hh:mm:ss Current Time <1993-2035> Year
64
Using Enhanced Editing Commands
MONA>Shape the future of internetworking by creating unpreced
Shape the future of internetworking by creating unprecedented value for customers, employees, and
partners.
Using Enhanced Editing Commands
MONA>$ future of internetworking by creating unprecedented op
(Automatic scrolling of long lines).
Using Enhanced Editing Commands
MONA>Shape the value of internetworking by creating unpreced
(Automatic scrolling of long lines).
Ctrl-A (Move to the beginning of the command line.)
Using Enhanced Editing Commands
MONA>$ value for customers, employees, and partners.
(Automatic scrolling of long lines).
<Ctrl-A> (Move to the beginning of the command line.)
<Ctrl-E> (Move to the end of the command line.)
Using Enhanced Editing Commands
MONA>$ value for customers, employees, and partners.
(Automatic scrolling of long lines).
<Ctrl-A> (Move to the beginning of the command line.)
<Ctrl-E> (Move to the end of the command line.)
<Esc-B> (Move back one word.)
Using Enhanced Editing Commands
MONA>$ value for customers, employees, and partners.
(Automatic scrolling of long lines).
<Ctrl-A> (Move to the beginning of the command line.)
<Ctrl-E> (Move to the end of the command line.)
<Esc-B> (Move back one word.)
<Ctrl-F> (Move forward one character.)
Using Enhanced Editing Commands
MONA>$ value for customers, employees, and partners.
(Automatic scrolling of long lines).
<Ctrl-A> (Move to the beginning of the command line.)
<Ctrl-E> (Move to the end of the command line.)
<Esc-B> (Move back one word.)
<Ctrl-F> (Move forward one character.)
<Ctrl-B> (Move back one character.)
Using Enhanced Editing Commands
MONA>$ value for customers, employees, and partners.
(Automatic scrolling of long lines).
<Ctrl-A> (Move to the beginning of the command line.)
<Ctrl-E> (Move to the end of the command line.)
<Esc-B> (Move back one word.)
<Ctrl-F> (Move forward one character.)
<Ctrl-B> (Move back one character.)
<Esc-F> (Move forward one word.)
65
Using Enhanced Editing Commands
MONA>$ value for customers, employees, and partners.
(Automatic scrolling of long lines).
<Ctrl-A> (Move to the beginning of the command line.)
<Ctrl-E> (Move to the end of the command line.)
<Esc-B> (Move back one word.)
<Ctrl-F> (Move forward one character.)
<Ctrl-B> (Move back one character.)
<Esc-F> (Move forward one word.)
<Ctrl-D> (Delete a single character.)
Reviewing Router Command History
Ctrl-P or Up arrow Last (previous) command recall
Ctrl-N or Down arrow More recent command recall
MONA> show history Show command buffer contents
MONA> terminal history size lines Set session command buffer size
show version Command
MONA#show version
Config Confi
g
IOS
show show
running-config startup-
config
Console
Setup
utility
66
Setup saves the configuration to NVRAM
show running and show startup Commands
In RAM
MONA#show running-config
Building configuration...
Current configuration:
!
version 12.0
!
-- More --
In NVRAM
MONA#show startup-config
Using 1359 out of 32762 bytes
!
version 12.0
!
-- More --
MONA(config)# Exit
Configuration
Mode Prompt
Router(config-if)# Interface
Router(config-subif)# Subinterface
Router(config-controller)# Controller
Router(config-line)# Line
Router(config-router)# Router
Router(config-ipx-router)# IPX router
Saving Configurations
MONA#
MONA#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
MONA#
Copy the current configuration to NVRAM
67
Configuring Router Identification
Router Name
Router(config)#hostname MONA
MONA(config)#
Router(config)#hostname MONA
MONA(config)#
Console Password
MONA(config)#line console 0
MONA(config-line)#login
MONA(config-line)#password 1102011
MONA(config-line)#login
MONA(config-line)#password 1102011
65
Router Password Configuration
Console Password
MONA(config)#line console 0
MONA(config-line)#login
MONA(config-line)#password 1102011
Virtual Terminal Password
Router(config)#line vty 0 4
Router(config-line)#login
MONAonfig-line)#password 1102011
Enable Password
MONA(config)#enable password 1102011
Secret Password
MONA(config)#enable secret sanfran
69
Configuring a Serial Interface
Enter global MONA#configure term
configuration mode Router(config)#
Specify interface
MONA(config)#interface serial 0
MONA(config-if)#
Set bandwidth
MONA(config-if)#bandwidth 64
(recommended) MONA(config-if)#exit
MONA(config)#exit
MONA#
79
Administratively turns off an interface
MONA#configure term
MONA(config)#interface serial 0
MONA(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Seria0, changed state to up
%LINEPROTO-5-UPDOWN: Line Protocol on Interface Serial0, changed state to up
Enables an interface that is administratively shutdown
Router show interfaces Command
MONA#show interfaces
Ethernet0 is up, line protocol is up
Hardware is Lance, address is 00e0.1e5d.ae2f (bia 00e0.1e5d.ae2f)
Internet address is 10.1.1.11/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:07, output 00:00:08, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
81833 packets input, 27556491 bytes, 0 no buffer
Received 42308 broadcasts, 0 runts, 0 giants, 0 throttles
1 input errors, 0 CRC, 0 frame, 0 overrun, 1 ignored, 0 abort
0 input packets with dribble condition detected
55794 packets output, 3929696 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 4 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Hardware is HD64570
Description: 64Kb Line to San Jose
Carrier:: ::
Detect :: :: :: :: :: ::
Keepalives
::
71
Discovering Neighbors with CDP
Using CDP
MONA-A#sh cdp ?
entry Information for specific neighbor entry
interface CDP interface status and configuration
neighbors CDP neighbor entries
traffic CDP statistics
<cr>
MONA-A(config)#no cdp run
MONA-A(config)#interface serial0
MONA-A(config-if)#no cdp enable
Using the show cdp neighbor Command
72
Using the show cdp entry Command
Version :
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-JS-L), Version 12.0(3), RELEASE SOFTWARE (fci)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Mon 08-Feb-99 18:18 by phanguye
73
Using Telnet to Connect to Remote Devices
Mona-a#telnet 10.2.2.2
Trying 10.2.2.2 ... Open
-------------------------------------------------
Catalyst 1900 Management Console
Copyright (c) Cisco Systems, Inc. 1993-1998
All rights reserved.
Enterprise Edition Software
Remote device
Ethernet Address: 00-90-86-73-33-40
PCA Number: 73-2239-06
PCA Serial Number: FAA02359H8K
Model Number: WS-C1924-EN
System Serial Number: FAA0237X0FQ
..
SwitchB>
MONA-A#sh session
Conn Host Address Byte Idle Conn Name
1 10.1.1.2 10.1.1.2 0 1 10.1.1.2
* 2 10.3.3.2 10.3.3.2 0 0 10.3.3.2
MONA-A#sh user
Line User Host(s) Idle Location
* 0 con 0 10.1.1.2 3
10.3.3.2 2
11 vty 0 idle 1 10.1.1.2
74
Suspending a Telnet Session
AHMED#<Ctrl-Shift-6>x
MONA-A#sh session
Conn Host Address Byte Idle Conn Name
1 10.1.1.2 10.1.1.2 0 1 10.1.1.2
MONA-A#resume 1
AHMED#
75
*Load the IOS software
*Find the configuration
*Load the configuration
*Run
Router Internal Components
NVRAM
RAM Config register
ROM
Interfaces
Flash
ROM Functions
ROM
Bootstrap POST
show version
ROM
Console
Mini IOS monitor
76
Finding the IOS
show
startup- NVRA
config M
Config
show register
Consol versio
Flas n
h e
IOS
Order of search:
1. Check configuration register
2. Parse config in NVRAM
3. Default to first file in Flash
4. Attempt net boot
5. RXBOOT
6. ROMMON
Router Start-up Flow Chart
Valid
Load Config N Ye NORMAL
reg o s START
IOS confi
bit 6=1
?
g UP
Ye ?N COMPLE
s o SETUP TE
DIALO
G
77
Determining the Current Configuration Register Value
MONA_a#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-JS-L), Version 12.0(3), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Mon 08-Feb-99 18:18 by phanguye
Image text-base: 0x03050C84, data-base: 0x00001000
ROM: System Bootstrap, Version 11.0(10c), SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c), RELEASE SOFTWARE (fc1)
MONA uptime is 20 minutes
System restarted by reload
System image file is "flash:c2500-js-l_120-3.bin"
--More--
Configuration register is 0x2102
Configuration register value in show version
Configuration Register Values
MONA#configure terminal
MONA(config)#config-register 0x2102
[Ctrl-Z]
MONA#reload
*Configuration register bits 3, 2, 1, and 0 set boot option
75
Configuration Register Boot Field Value Meaning
0x0 Use ROM monitor mode
(Manually boot using the b
command)
0x1 Automatically boot from ROM
(Provides IOS subset)
0x2 to 0xF Examine NVRAM for boot system
commands (0x2 default if router has Flash)
RAM
IOS
Flash
Console
IOS
show flash
79
Loading the Configuration
RAM NVRAM
Config Config
IOS
show show
running-config startup-config
Console
Setup utility
MONA#show running-config
Building configuration...
Current configuration:
!
version 12.0
!
-- More --
In NVRAM
MONA#show startup-config
Using 1359 out of 32762 bytes
!
version 12.0
!
-- More --
Sources of Configurations
RAM NVRAM
copy running startup
Config Config
copy startup running (merge)
*NVRAM
59
Sources of Configurations
RAM NVRAM
copy running startup
Config Config
copy startup running (merge)
config term
(merge)
*NVRAM
*Terminal
Sources of Configurations
RAM NVRAM
copy running startup
Config Config
copy startup running (merge)
config term
(merge) Console
*NVRAM TFTP
*Terminal server
*TFTP server
51
Sources of Configurations
RAM NVRAM
copy running startup
Config Config
copy startup running (merge)
config term
(merge)
NVRAM
RAM
system: nvram:
TFTP
Flash server
tftp:
flash:
52
Managing IOS Images
c2500-js-l_120-3.bin
Router
Network
server
FLASH
Networ
k
Preparing for a Network Backup Image
server
Router Network
server
*Check access to the server
*Preparing for a Network Backup Image
c2500-js-l_120-3.bin
Network
Router
server
Network
Router
server
53
Creating a Software Image Backup
MONA#copy flash tftp
Source filename []? c2500-js-l_120-3.bin
Address or name of remote host []? 10.1.1.1
Destination filename [c2500-js-l_120-3.bin]?
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<output omitted>
10084696 bytes copied in 709.228 secs (14223 bytes/sec)
MONA#
Upgrading the Image from the Net
MONA#copy tftp flash
Address or name of remote host [10.1.1.1]?
Source filename []? c2500-js-l_120-3.bin
Destination filename [c2500-js-l_120-3.bin]?
Accessing tftp://10.1.1.1/c2500-js-l_120-3.bin...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeee (output omitted) ...erased
Erase of flash: complete
Loading c2500-js-l_120-3.bin from 10.1.1.1 (via Ethernet0): !!!!!!!!!!!!!!!!!!!!
(output omitted)
[OK - 10084696/20168704 bytes]
Verifying checksum... OK (0x9AA0)
10084696 bytes copied in 309.108 secs (32636 bytes/sec)
MONA#
*Erase Flash occurs before loading new image
*Note message that image already exists
54
Switch
How Switches Learn Hosts Locations
A B
0260.8c01.1111 0260.8c01.3333
E0 E1
C D
E2 E3
0260.8c01.2222 0260.8c01.4444
0260.8c01.1111 0260.8c01.3333
E0 E1
C E2 E3 D
0260.8c01.2222 0260.8c01.4444
55
How Switches Filter Frames
C E2 E3 D
0260.8c01.2222 0260.8c01.4444
Segment 2
56
*Redundant topology eliminates single points of failure
*Redundant topology causes broadcast storms, multiple frame copies, and MAC address table
instability problems
Broadcast Storms
Server/host X
Router Y
Segment 1
Broadcast
Switch A Switch B
Segment 2
Broadcast Storms
Server/host X Router Y
Segment 1
Broadcast
Switch A Switch B
Segment 2
Host X sends a Broadcast
57
Broadcast Storms
Server/host X
Router Y
Segment 1
Segment 2
Segment 1
Switch A Switch B
Segment 2
*Host X sends an unicast frame to router Y
*Router Y MAC address has not been learned by either switch yet
Multiple Frame Copies
Segment 1
Unicast
Unicast
Switch A Switch B
55
Segment 2
*Host X sends an unicast frame to Router Y
*Router Y MAC Address has not been learned by either Switch yet
*Router Y will receive two copies of the same frame
MAC Database Instability
Server/host X Router Y
Segment 1
Unicast Unicast
Port 0 Port 0
Switch A Switch B
Port 1 Port 1
Segment 2
*Host X sends an unicast frame to Router Y
*Router Y MAC Address has not been learned by either Switch yet
*Switch A and B learn Host X MAC address on port 0
*Frame to Router Y is flooded
*Switch A and B incorrectly learn Host X MAC address on port 1
Multiple Loop Problems
Broadcast Server/host
Loop
Loop
Loop
Workstations
59
Spanning-Tree Protocol
x Block
100baseT
10baseT
Tree Protocol Root Bridge Selection
Switch X Switch Y
Default priority 32768 Default priority 32768
(8000 hex)
BPD (8000 hex)
MAC 0c0011111111 U MAC 0c0022222222
99
Spanning-Tree Protocol Port States
100baseT
10baseT
Spanning-Tree:
Switch Z
Mac 0c0011110000
Default priority 32768
Port 0
100baseT
Port 0 Port 0
Switch X Switch Y
MAC 0c0011111111 MAC 0c0022222222
Default priority 32768 Default priority 32768
Port 1 Port 1
100baseT
91
Spanning-Tree:
Switch Z
Mac 0c0011110000
Default priority 32768
Port 0
Designated port (F)
100baseT
Port 0 Root port (F) Port 0 Root port (F)
Switch X Switch Y
MAC 0c0011111111 MAC 0c0022222222
Default priority 32768 Default priority 32768
Port 1
Designated port (F) Port 1 Nondesignated port (BLK)
100baseT
Listening
Learning
Forwarding
Spanning-Tree Recalculation
100baseT
10baseT
92
Spanning-Tree Recalculation
100baseT
x x
0 0
MAC 0c0011111111 MAC 0c0022222222
Default priority 32768 Root Default priority
PortBridge BPDU Port 32768
1 Designated port 1
x Nondesignated port (BLK)
10baseT
Key Issue: Time to Convergence
*Convergence occurs when all the switches and bridge ports have transitioned to either the
forwarding or blocking state
*When network topology changes, switches and bridges must recompute the Spanning-Tree
Protocol, which disrupts user traffic
Bridging Compared to LAN Switching
Bridging
Primarily software based
One spanning-tree instance per bridge
Usually up to 16 ports per bridge
LAN Switching
Primarily hardware based (ASIC)
Many spanning-tree instances per switch
More ports on a switch
Fram
e
93
Transmitting Frames through a Switch
Frame Frame
Frame
Frame
e
Duplex Overview
Half duplex (CSMA/CD)
*Unidirectional data flow
*Higher potential for collison
*Hubs connectivity
Duplex Overview
Switch
Half duplex (CSMA/CD)
*Unidirectional data flow
*Higher potential for collison Hub
*Hubs connectivity
Full duplex
*Point-to-point only
*Attached to dedicated switched port
*Requires full-duplex support on both ends
*Collision free
*Collision detect circuit disabled
94
VLAN
VLAN Operations
Switch A
VLAN Operations
VLAN Operations
95
VLAN Membership Modes
ISL Tagging
ISL trunks enable VLANs across a backbone
96
ISL Encapsulation
BPDU
*Frames encapsulated with ISL header and CRC
*Support for many VLANs (1024)
*VLAN field
*BPDU bit
97
VTP Modes
VTP Pruning
*Increases available bandwidth by reducing unnecessary flooded traffic
*Example: Station A sends broadcast, broadcast is only flooded toward any switch with ports
95
assigned to the red VLAN
99
Routing
What is Routing?
199
Identifying Static and Dynamic Routes
Static Route Dynamic Route
Uses a route that a network Uses a route that a network routing
administrator enters into the router protocol adjusts automatically for topology
manually or traffic changes
Static Routes
Configure unidirectional static routes to and from a stub network to allow communications to
occur.
This is a unidirectional route. You must have a route configured in the opposite direction.
191
Default Routes
This route allows the stub network to reach all known networks beyond router A.
What is a Routing Protocol?
192
Autonomous Systems: Interior or Exterior Routing
Protocols
193
Classes of Routing Protocols
194
Distance Vector—Sources of Information and Discovering Routes
195
Distance Vector—Selecting Best Route with Metrics
196
Distance Vector—Maintaining Routing Information
Each node maintains the distance from itself to each possible destination network
197
Defining a Maximum
Split Horizon
It is never useful to send information about a route back in the direction from which the original packet
came
Routers set the distance of routes that have gone down to infinity
195
Poison Reverse
Router keeps an entry for the network possibly down state, allowing time for other routers to
recompute for this topology change
Triggered Updates
199
Implementing Solutions in Multiple Routes
119
Implementing Solutions in Multiple Routes (cont.)
111
Link-State Routing Protocols
After initial flood, pass small event-triggered link-state updates to all other routers
Hybrid Routing
112
Verifying the Routing Protocol—RIP
MONA-A#sh ip protocols
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 0 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is
Incoming update filter list for all interfaces is
Redistributing: rip
Default version control: send version 1, receive any version
Interface Send Recv Key-chain
Ethernet0 1 12
Serial2 1 12
Routing for Networks:
10.0.0.0
172.16.0.0
Routing Information Sources:
Gateway Distance Last Update
10.1.1.2 120 00:00:10
Distance: (default is 120)
MONA-A#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route, o - ODR
T - traffic engineered route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Ethernet0
10.0.0.0/24 is subnetted, 2 subnets
R 10.2.2.0 [120/1] via 10.1.1.2, 00:00:07, Serial2
C 10.1.1.0 is directly connected, Serial2
R 192.168.1.0/24 [120/2] via 10.1.1.2, 00:00:07, Serial2
MONA#debug ip rip
RIP protocol debugging is on
MONA-A#
00:06:24: RIP: received v1 update from 10.1.1.2 on Serial2
00:06:24: 10.2.2.0 in 1 hops
00:06:24: 192.168.1.0 in 2 hops
00:06:33: RIP: sending v1 update to 255.255.255.255 via Ethernet0 (172.16.1.1)
00:06:34: network 10.0.0.0, metric 1
113
00:06:34: network 192.168.1.0, metric 3
00:06:34: RIP: sending v1 update to 255.255.255.255 via Serial2 (10.1.1.1)
00:06:34: network 172.16.0.0, metric 1
114
IGRP
Introduction to IGRP
IGRP
Source
*Bandwidth
*Delay
*Reliability Destination
*Loading
*MTU
IGRP Unequal Multiple Paths
New Route
Source
Initial
Route Destination
*Maximum six paths
*Next-hop router closer to destination
*Within metric variance
115
Configuring IGRP
MONA(config)#router igrp autonomous-system
*Defines IGRP as the IP routing protocol
MONA(config-router)#network network-number
*Selects participating attached networks
Configuring IGRP (cont.)
MONA(config-router)#variance multiplier
*Control IGRP load balancing
MONA(config-router)#traffic-share { balanced | min }
*Control how load-balanced traffic is distributed
IGRP Configuration Example
Autonomous System = 100
E0 S3
S2 S2 S3 E0
172.16.1.0 A 192.168.1.0
B C
172.16.1.1 10.1.1.1 10.1.1.2 10.2.2.2 10.2.2.3192.168.1.1
MONA#sh ip protocols
Routing Protocol is "igrp 100"
Sending updates every 90 seconds, next due in 21 seconds
Invalid after 270 seconds, hold down 280, flushed after 630
Outgoing update filter list for all interfaces is
Incoming update filter list for all interfaces is
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
IGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
IGRP maximum hopcount 100
IGRP maximum metric variance 1
Redistributing: igrp 100
Routing for Networks:
10.0.0.0
172.16.0.0
Routing Information Sources:
Gateway Distance Last Update
10.1.1.2 100 00:01:01
Distance: (default is 100)
116
Displaying the IP Routing Table S3
E0 S2
S2 S3 E0
172.16.1.0 A 192.168.1.0
B C
172.16.1.1 10.1.1.1 10.1.1.2 10.2.2.2 10.2.2.3192.168.1.1
MONA#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route, o - ODR
T - traffic engineered route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Ethernet0
10.0.0.0/24 is subnetted, 2 subnets
I 10.2.2.0 [100/90956] via 10.1.1.2, 00:00:23, Serial2
C 10.1.1.0 is directly connected, Serial2
I 192.168.1.0/24 [100/91056] via 10.1.1.2, 00:00:23, Serial2
117
Updating Routing Information Example
MONA# debug ip igrp trans
00:31:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to down
00:31:15: IGRP: edition is now 3
00:31:15: IGRP: sending update to 255.255.255.255 via Serial2 (10.1.1.1)
00:31:15: network 172.16.0.0, metric=4294967295
00:31:16: IGRP: Update contains 0 interior, 1 system, and 0 exterior routes.
00:31:16: IGRP: Total routes in update: 1
00:31:16: IGRP: broadcasting request on Serial2
00:31:16: IGRP: received update from 10.1.1.2 on Serial2
00:31:16: subnet 10.2.2.0, metric 90956 (neighbor 88956)
00:31:16: network 172.16.0.0, metric 4294967295 (inaccessible)
00:31:16: network 192.168.1.0, metric 91056 (neighbor 89056)
00:31:16: IGRP: Update contains 1 interior, 2 system, and 0 exterior routes.
00:31:16: IGRP: Total routes in update: 3
115
AHMED#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
AHMED#
ip classless Command
Default route
E0 S0
172.16.0.0
10.1.0.0 10.2.0.0
C 10.1.0.0 E0
To get to 10.7.1.1: C 10.2.0.0 S0
RIP 172.16.0.0 via S0
0.0.0.0 E0
119
Link-State and Balanced Hybrid Routing
Link-State Routing Protocols
129
Link-State Routing Protocol Algorithms
121
OSPF
Enabling OSPF
Introducing OSPF
*Open standard
*Shortest path first (SPF) algorithm
*Link-state routing protocol (vs. distance vector)
OSPF as a Link-State Protocol
*OSPF propagates link-state advertisements rather than routing table updates.
*LSAs are flooded to all OSPF routers in the area.
*The OSPF link-state database is pieced together from the LSAs generated by the OSPF routers.
*OSPF uses the SPF algorithm to calculate the shortest path to a destination.
-Link = router interface
-State = description of an interface and its relationship to neighboring routers
OSPF Hierarchical Routing
122
Shortest Path First Algorithm
*Places each router at the root of a tree and calculates the shortest path to each destination based on the
cumulative cost
*Cost = 108/bandwidth (bps)
Configuring Single Area OSPF
MONA(config)#router ospf process-id
*Defines OSPF as the IP routing protocol
Router(config-router)#network address mask area area-id
*Assigns networks to a specific OSPF area
Router ID:
123
*Number by which the router is known to OSPF
*Default: The highest IP address on an active interface at the moment of OSPF process startup
*Can be overridden by a loopback interface: Highest IP address of any active loopback interface
Verifying the OSPF Configuration
MONA#show ip protocols
*Verifies that OSPF is configured
MONA#show ip route
* Displays all the routes learned by the router
MONA#show ip ospf interface
* Displays area-ID and adjacency information
MONA#show ip ospf neighbor
* Displays OSPF-neighbor information on a per-interface basis
OSPF debug commands
MONA#debug ip ospf events
OSPF:hello with invalid timers on interface Ethernet0
hello interval received 10 configured 10
net mask received 255.255.255.0 configured 255.255.255.0
dead interval received 40 configured 30
MONA# debug ip ospf packet
OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.117
aid:0.0.0.0 chk:6AB2 aut:0 auk:
MONA#debug ip ospf packet
OSPF: rcv. v:2 t:1 l:48 rid:200.0.0.116
aid:0.0.0.0 chk:0 aut:2 keyid:1 seq:0x0
124
Enabling EIGRP
Introducing EIGRP
EIGRP supports:
*Rapid convergence
*Reduced bandwidth usage
*Multiple network-layer protocols
EIGRP Terminology
125
Verifying the EIGRP Configuration
MONA#show ip eigrp neighbors
*Displays the neighbors discovered by IP EIGRP
MONA#show ip eigrp topology
*Displays the IP EIGRP topology table
MONA#show ip route eigrp
*Displays current EIGRP entries in the routing table
MONA#show ip protocols
*Displays the parameters and current state of the active
routing protocol process
MONA#show ip eigrp traffic
*Displays the number of IP EIGRP packets sent and received
debug ip eigrp Command
MONA#debug ip eigrp
IP-EIGRP: Processing incoming UPDATE packet
IP-EIGRP: Ext 192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960IP-EIGRP:
Ext 192.168.0.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960IP-EIGRP: Ext
192.168.3.0 255.255.255.0 M 386560 - 256000 130560 SM 360960 - 256000 104960
IP-EIGRP: 172.69.43.0 255.255.255.0, - do advertise out Ethernet0/1
IP-EIGRP: Ext 172.69.43.0 255.255.255.0 metric 371200 - 256000 115200
IP-EIGRP: 192.135.246.0 255.255.255.0, - do advertise out Ethernet0/1
IP-EIGRP: Ext 192.135.246.0 255.255.255.0 metric 46310656 - 45714176 596480
IP-EIGRP: 172.69.40.0 255.255.255.0, - do advertise out Ethernet0/1
IP-EIGRP: Ext 172.69.40.0 255.255.255.0 metric 2272256 - 1657856 614400
IP-EIGRP: 192.135.245.0 255.255.255.0, - do advertise out Ethernet0/1
IP-EIGRP: Ext 192.135.245.0 255.255.255.0 metric 40622080 - 40000000 622080
IP-EIGRP: 192.135.244.0 255.255.255.0, - do advertise out Ethernet0/1
Variable-LengthSubnet Masks
Calculating VLSMs
*Routing protocols can summarize addresses of several networks into one address
126
Summarizing Within an Octet
Implementation Considerations
*Multiple IP addresses must have the same highest-order bits.
*Routing decisions are made based on the entire address.
Routing protocols must carry the prefix (subnet mask) length.
Route Summarization Operation in Cisco Routers
192.16.5.33 /32 Host
192.16.5.32 /27 Subnet
192.16.5.0 /24 Network
192.16.0.0 /16 Block of Networks
0.0.0.0 /0 Default
*Supports host-specific routes, blocks of networks, default routes
*Routers use the longest match
Why Use Access Lists?
Token
Ring
FDDI
127
Why Use Access Lists?
172.16.0.0
Token Internet
Ring
FDDI
172.17.0.0
Queue
List
Special handling for traffic based on packet tests
125
Other Access List Uses
Queue
List
Dial-on-demand routing
Route filtering
Routing
Table
Special handling for traffic based on packet tests
What Are Access Lists?
E0 Access List Processes
Outgoing
Incoming Source Packet
Packet Permit?
S0
*Standard
-Checks Source address
-Generally permits or denies entire protocol suite
What Are Access Lists?
*Standard
-Checks Source address
-Generally permits or denies entire protocol suite
*Extended
-Checks Source and Destination address
-Generally permits or denies specific protocols
*Inbound or Outbound
129
Outbound Access Lists
Packet
S
Choose
0
Inbound Y Interface Outboun
Interface
Routing d
Packets
Table Interfaces
Entry Access N
N
? List
? Y
Packet
S
Choose
0
Inbound Y Interface Outbound
Interface Test
Routing Interfaces
Packets E
Access List
Table 0
Statements Packet
Entry Access N
N Permit
? Y
List ?
? Y
139
A List of Tests: Deny or Permit
Match
First
Packets to interfaces
Y Test Y
in the access group ?
Deny Permit
Destination
Interface(s)
Packet
Deny Discard
Bucket
Deny Permit
Match
Y Y
Deny Next Permit
Destination
Test(s)
? Interface(s)
Packet
Discar Deny
d
Bucket
131
Access List Configuration Guidelines
*Access list numbers indicate which protocol is filtered
*One access list per interface, per protocol, per direction
*The order of access list statements controls testing
*Most restrictive statements should be at the top of list
*There is an implicit deny any as the last access list test—every list should have at least one permit
statement
*Create access lists before applying them to interfaces
*Access list, filter traffic going through the router; they do not apply to traffic originated from the router
Access List Command Overview
Step 1: Set parameters for this access list test
statement (which can be one of several statements)
MONA(config)# access-list access-list-number { permit | deny } {test conditions }
Access List Command Overview
Step 1: Set parameters for this access list test
statement (which can be one of several statements)
MONA(config)#
access-list access-list-number { permit | deny } { test conditions }
Step 2: Enable an interface to use the specified
access list
MONA(config-if)#
{ protocol } access-group access-list-number {in | out}
IP Access lists are numbered 1-99 or 100-199
How to Identify Access Lists
Access List Type Number Range/Identifier
IP Standard 1-99
*Standard IP lists (1 to 99) test conditions of all IP packets from source addresses
How to Identify Access Lists
Access List Type Number Range/Identifier
IP Standard 1-99
Extended 100-199
Named Name (Cisco IOS 11.2 and later)
IPX Standard 800-899
Extended 900-999
SAP filters 1000-1099
Named Name (Cisco IOS 11.2. F and later)
*Standard IP lists (1 to 99) test conditions of all IP packets from source addresses
*Extended IP lists (100 to 199) can test conditions of source and destination addresses, specific TCP/IP
protocols, and destination ports
*Other access list number ranges test conditions for other networking protocols
132
Testing Packets with Standard Access Lists
Frame
Packet Segment
Header Data
(IP header) (for example,
(for example,
TCP header)
HDLC)
Source
Use
Address
access
list statements
Deny 1-99 Permit
packet
133
Wildcard Bits: How to Check the Corresponding Address Bits
Octet bit position and
128 64 32 16 8 4 2 1 address value for bit
Examples
check all address bits
0 0 0 0 0 0 0 0 = (match all)
134
Standard IP Access List Example 1
Non-
172.16.3.0 172.16.4.0
172.16.0.0
S0
172.16.4.13
E E1
0
Non-
172.16.3.0 172.16.4.0
172.16.0.0
S0
172.16.4.13
E0 E1
Non-
172.16.3.0 172.16.0.0 172.16.4.0
S0
172.16.4.13
E0 E1
135
Standard IP Access List Example 2
Non-
172.16.3.0 172.16.4.0
172.16.0.0
S0
172.16.4.13
E0 E1
Non-
172.16.3.0 172.16.0.0 172.16.4.0
S0 172.16.4.13
E0 E1
136
Control vty Access With Access Class
Filter Virtual Terminal (vty) Access to a Router
console e0
0 1 2 34
Console port (direct connect) Physical port e0 (Telnet)
137
Configuring Extended IP Access Lists
Standard versus External Access List
Standard Extended
Filters Based on Source. Filters Based on Source and estination.
Permit or deny entire TCP/IP protocol suite. Specifies a specific IP protocol and port number.
Range is 1 through 99 Range is 100 through 199.
Extended IP Access List Configuration
MONA(config)#
access-list access-list-number { permit | deny } protocol source
source-wildcard [operator port] destination destination-wildcard
[ operator port ] [ established ] [log]
*Sets parameters for this list entry
Extended IP Access List Configuration
MONA(config)# access-list access-list-number
{ permit | deny } protocol source source-wildcard [operator port] destination destination-wildcard [
operator port ] [ established ] [log]
*Sets parameters for this list entry
MONA(config-if)# ip access-group access-list-number { in | out }
*Activates the extended list on an interface
Extended Access List Example 1
Non-
172.16.3.0 172.16.4.0
172.16.0.0
S0
172.16.4.13
E0 E1
135
Extended Access List Example 1
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
access-list 101 permit ip any any
(implicit deny all)
(access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255)
interface ethernet 0
ip access-group 101 out
Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0
Permit all other traffic
Non-
172.16.3.0 172.16.4.0
172.16.0.0
S0
172.16.4.13
E0 E1
139
Using Named IP Access Lists
*Feature for Cisco IOS Release 11.2 or later
Router(config)#
ip access-list { standard | extended } name
*Alphanumeric name string must be unique
Router(config {std- | ext-}nacl)#
{ permit | deny } { ip access list test conditions }
{ permit | deny } { ip access list test conditions }
no { permit | deny } { ip access list test conditions }
*Permit or deny statements have no prepended number
*"no" removes the specific test from the named access list
Using Named IP Access Lists
*Feature for Cisco IOS Release 11.2 or later
MONA(config)# ip access-list { standard | extended } name
*Alphanumeric name string must be unique
Router(config {std- | ext-}nacl)# { permit | deny }
{ ip access list test conditions }
{ permit | deny } { ip access list test conditions }
no { permit | deny } { ip access list test conditions }
*Permit or deny statements have no prepended number
*"no" removes the specific test from the named access list
MONA(config-if)# ip access-group name { in | out }
*Activates the IP named access list on an interface
Access List Configuration Principles
*Order of access list statements is crucial
Recommended: use a text editor on a TFTP server or use PC to cut and paste
*Top-down processing
Place more specific test statements first
*No reordering or removal of statements
Use no access-list number command to remove entire access list
Exception: Named access lists permit removal of individual statements
*Implicit deny all
Unless access list ends with explicit permit any
149
Where to Place IP Access Lists
S0
E0
B S0
E0 S1
S1 C
A
E0
Token
To0 Ring D E0
E1
141
NAT and PAT
Scaling the Network with NAT and PAT
Network Address Translation
142
Translating Inside Source Addresses
143
Configuring Dynamic Translation
Router(config)#ip nat pool name start-ip end-ip
{netmask netmask | prefix-length prefix-length}
*Defines a pool of global addresses to be allocated as needed
MONA(config)#access-list access-list-number permit
source [source-wildcard]
*Defines a standard IP access list permitting those inside local addresses that are to be translated
MONA(config)#ip nat inside source list
access-list-number pool name
*Establishes dynamic source translation, specifying the access list defined in the prior step
Dynamic Address Translation Example
Configuring Overloading
Router(config)#access-list access-list-number permit
source source-wildcard
144
*Defines a standard IP access list permitting those inside local addresses that are to be translated
MONA(config)#ip nat inside source list
access-list-number interface interface overload
*Establishes dynamic source translation, specifying the access list defined in the prior step
Overloading an Inside Global Address Example
Error!
145
MONA#show ip nat statistics
*Displays translation statistics
MONA#show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
Ethernet0, Serial2.7
Inside interfaces:
Ethernet1
Hits: 5 Misses: 0
Sample Problem: Cannot Ping Remote Host
New Configuration
146
Using the debug ip nat Command
MONA#debug ip nat
NAT: s=192.168.1.95->172.31.233.209, d=172.31.2.132 [6825]
NAT: s=172.31.2.132, d=172.31.233.209->192.168.1.95 [21852]
NAT: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6826]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23311]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6827]
NAT*: s=192.168.1.95->172.31.233.209, d=172.31.1.161 [6828]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23313]
NAT*: s=172.31.1.161, d=172.31.233.209->192.168.1.95 [23325]
147
WAN
WAN Connection Types
Synchronous serial
Leased Line
Asynchronous serial,
ISDN Layer 1
Telephone
Circuit-switched Company
Synchronous serial
Packet-switched Servi
ce
Provi
der
Interfacing WAN Service Providers
WAN service provider toll network
S S S S CO Switch
Local Loop
S S S Demarcation
145
Serial Point-to-Point Connections
Router connections
End user
device
DTE
CSU/
DSU
DCE
Service
Provider
EIA/TIA-232 EIA/TIA-449 V.35 X.21 EIA-530
Network connections at the CSU/DSU
Typical WAN Encapsulation Protocols
HDLC, PPP, SLIP
Leased Line
Packet-switched Service
Provider
149
HDLC Frame Format
Cisco HDLC
Dialup or
Circuit-Switched
Network
Accept/Reject
Hostname: santacruz username santacruz
Password: boardwalk password boardwalk
Response
Hostname: santacruz
Accept/Reject username santacruz
Password: boardwalk password boardwalk
151
Configuring PPP and Authentication Overview
Verify who
you are.
Service
Provider
Router to Be
Authenticating Router Authenticated
(The router that received the call.) (The router that initiated the call.)
Enabling PPP Enabling PPP
ppp encapsulation ppp encapsulation
Enabling PPP Authentication
hostname hostname
ppp authentication
username / password username / password
ppp authentication
PPP
Configuring
Enable
MONA(config-if)#encapsulation ppp
PPP encapsulation
Configuring
PPP Authentication
MONA(config)#hostname name
*Assigns a host name to your router
MONA(config)#username name password password
*Identifies the username and password of authenticating router
Configuring PPP Authentication(cont.)
MONA(config-if)#ppp authentication
{chap | chap pap | pap chap | pap}
Enables PAP and/or CHAP authentication
Configuring CHAP Example
152
Verifying HDLC and PPP Encapsulation Configuration
MONA#show interface s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
LCP Open
Open: IPCP, CDPCP
Last input 00:00:05, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
38021 packets input, 5656110 bytes, 0 no buffer
Received 23488 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
38097 packets output, 2135697 bytes, 0 underruns
0 output errors, 0 collisions, 6045 interface resets
0 output buffer failures, 0 output buffers swapped out
482 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
153
Frame Relay Terminology
PVC
DLCI:
100 DLCI:
LMI 200
100=Ac
tive
400=Ac
tive
DLCI:
400 Local
Local Access
Access Loop=64
Loop=T1 kbps
PVC
Local Access
Loop=64 kbps
DLCI:
500
Inverse ARP or
Frame Relay map
Frame DLCI (500)
IP
Relay
(10.1.1.1)
Keepalive
154
Cisco supports three LMI standards:
*Cisco
*ANSI T1.617 Annex D
*ITU-T Q.933 Annex A
Frame Relay Inverse ARP and LMI Operation
1
Frame Relay
DLCI=100 Cloud DLCI=400
172.168.5.5 172.168.5.7
172.168.5.5 172.168.5.7
172.168.5.5 172.168.5.7
155
Frame Relay Inverse ARP and LMI Operation
1
Frame Relay
DLCI=100 Cloud DLCI=400
172.168.5.5 172.168.5.7
Hello, I am 172.168.5.5.
4
Frame Relay Inverse ARP and LMI Operation (cont.)
Frame Relay
DLCI=100 Cloud DLCI=400
172.168.5.5 172.168.5.7
Hello, I am 172.168.5.7.
4
Frame Relay Map
5 172.168.5.7 DLCI 100 Active
Frame Relay
DLCI=100 Cloud DLCI=400
172.168.5.5 172.168.5.7
Hello, I am 172.168.5.7.
4
Frame Relay Map
5 172.168.5.7 DLCI 100 Active
6 Hello, I am 172.168.5.5.
156
Configuring Basic Frame Relay
Rel. 11.2 Router Rel. 10.3 Router
HQ Branch
interface Serial1
interface Serial1 ip address 10.16.0.2 255.255.255.0
ip address 10.16.0.1 255.255.255.0 encapsulation frame-relay
encapsulation frame-relay bandwidth 64
bandwidth 64 frame-relay lmi-type ansi
HQ Branch
p1r1
HQ Branch
DLCI=100
IP address=10.16.0.2/24
interface Serial1
ip address 10.16.0.1 255.255.255.0
encapsulation frame-relay
bandwidth 64
frame-relay map ip 10.16.0.2 110 broadcast
157
Verifying Frame Relay Operation
MONA#show interface s0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 10.140.1.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation FRAME-RELAY, loopback not set, keepalive set (10 sec)
LMI enq sent 19, LMI stat recvd 20, LMI upd recvd 0, DTE LMI up
LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0
LMI DLCI 1023 LMI type is CISCO frame relay DTE
FR SVC disabled, LAPF state down
Broadcast queue 0/64, broadcasts sent/dropped 8/0, interface broadcasts 5
Last input 00:00:02, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
<Output omitted>
Displays line, protocol, DLCI, and LMI information
Verifying Frame Relay Operation (cont.)
MONA#show frame-relay lmi
LMI Statistics for interface Serial0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 113100 Num Status msgs Rcvd 113100
Num Update Status Rcvd 0 Num Status Timeouts 0
Displays LMI information
Verifying Frame Relay Operation (cont.)
MONA#show frame-relay pvc 100
PVC Statistics for interface Serial0 (Frame Relay DTE)
DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 28 output pkts 10 in bytes 8398
out bytes 1198 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 10 out bcast bytes 1198
pvc create time 00:03:46, last time pvc status changed 00:03:47
Displays PVC traffic statistics
Verifying Frame Relay Operation (cont.)
MONA#show frame-relay map
Serial0 (up): ip 10.140.1.1 dlci 100(0x64,0x1840), dynamic,
broadcast,, status defined, active
Displays the route maps, either static or dynamic
155
Verifying Frame Relay Operation (cont.)
MONA#debug Frame lmi
Frame Relay LMI debugging is on
Displaying all Frame Relay LMI data
Router#
1w2d: Serial0(out): StEnq, myseq 140, yourseen 139, DTE up
1w2d: datagramstart = 0xE008EC, datagramsize = 13
1w2d: FR encap = 0xFCF10309
1w2d: 00 75 01 01 01 03 02 8C 8B
1w2d:
1w2d: Serial0(in): Status, myseq 140
1w2d: RT IE 1, length 1, type 1
1w2d: KA IE 3, length 2, yourseq 140, myseq 140
1w2d: Serial0(out): StEnq, myseq 141, yourseen 140, DTE up
1w2d: datagramstart = 0xE008EC, datagramsize = 13
1w2d: FR encap = 0xFCF10309
1w2d: 00 75 01 01 01 03 02 8D 8C
1w2d:
1w2d: Serial0(in): Status, myseq 142
1w2d: RT IE 1, length 1, type 0
1w2d: KA IE 3, length 2, yourseq 142, myseq 142
1w2d: PVC IE 0x7 , length 0x6 , dlci 100, status 0x2 , bw 0
Displays LMI debug information
Selecting a Frame Relay Topology
Full Mesh
Partial Mesh
159
Reachability Issues with Routing Updates
B
Routing 1 B
Update
2
AA C
C
3
Problem:
Broadcast traffic must be replicated for each active connection
Resolving Reachability Issues
Logical Interface
Subnet A
S0.1 S0
S0.2 Subnet B
S0.3
Subnet C
Solution:
*Split horizon can cause problems in NBMA environments
*Subinterfaces can resolve split horizon issues
*A single physical interface simulates multiple logical interfaces
Configuring Subinterfaces
Point-to-Point
Subinterfaces act as leased line
Each point-to-point subinterface requires its own subnet
Applicable to hub and spoke topologies
Multipoint
Subinterfaces act as NBMA network so they do not resolve the split horizon issue
Can save address space because uses single subnet
Applicable to partial-mesh and full-mesh topology
169
Configuring Point-to-Point Subinterfaces
DLCI=110 10.17.0.2
10.17.0.1
s0.2
A
s0.3
10.18.0.1
DLCI= B
120
interface Serial0
no ip address
encapsulation frame-relay
!
interface Serial0.2 point-to-point
ip address 10.17.0.1 255.255.255.0 10.18.0.2
bandwidth 64
frame-relay interface-dlci 110
!
interface Serial0.3 point-to-point C
ip address 10.18.0.1 255.255.255.0
bandwidth 64
frame-relay interface-dlci 120
!
DLCI=120 B
s2.2=10.17.0.1/24
DLCI=130
RTR1
RTR
DLCI=140 3
interface Serial2
no ip address RTR
encapsulation frame-relay 4
!
interface Serial2.2 multipoint
ip address 10.17.0.1 255.255.255.0
bandwidth 64
frame-relay map ip 10.17.0.2 120 broadcast
frame-relay map ip 10.17.0.3 130 broadcast
frame-relay map ip 10.17.0.4 140 broadcast
161
IPsec (Internet Protocol Security)
IPsec (Internet Protocol Security) is a framework for a set of protocols for
security at the network or packet processing layer of network communication.
Earlier security approaches have inserted security at the Application layer of the
communications model. IPsec is said to be especially useful for implementing
virtual private networks and for remote user access through dial-up connection to
private networks. A big advantage of IPsec is that security arrangements can be
handled without requiring changes to individual user computers. Cisco has been a
leader in proposing IPsec as a standard (or combination of standards and
technologies) and has included support for it in its network routers.
IPsec provides two choices of security service: Authentication Header (AH),
which essentially allows authentication of the sender of data, and Encapsulating
Security Payload (ESP), which supports both authentication of the sender and
encryption of data as well. The specific information associated with each of these
services is inserted into the packet in a header that follows the IP packet header.
Separate key protocols can be selected, such as the ISAKMP/Oakley protocol.
Related glossary terms: managed security services (MSS), spam filter, port scan,
unified threat management (UTM), script kiddy (or script kiddie), Snort, remote
access, risk analysis, malware (malicious software), vulnerability analysis
(vulnerability assessment)
162
Internet Key Exchange
Before secured data can be exchanged, a security agreement between the two
computers must be established. In this security agreement, called a security
association (SA), both agree on how to exchange and protect information, as
shown in the following illustration.
To build this agreement between the two computers, the IETF has established a
standard method of security association and key exchange resolution named
Internet Key Exchange (IKE) which:
*Generates and manages shared, secret keys that are used to secure the
information.
The following are the steps that comprise a main mode negotiation.
1/Policy negotiation
The following four mandatory parameters are negotiated as part of the main mode
SA:
*The Diffie-Hellman group to be used for the base keying material: Group 1 (768
bits of keying material) Group 2 (1,024 bits), or Group 2048 (2,048 bits)
If certificates or preshared keys are used for authentication, the computer identity is
protected. If Kerberos V5 authentication is used, the computer identity is
unencrypted until encryption of the entire identity payload takes place during
authentication.
Important
For enhanced security, do not use Diffie-Hellman Group 1. For maximum security,
use Group 2048 whenever possible. Use Group 2 when required for interoperability
with Windows 2000 and Windows XP.
For more information about Diffie-Hellman groups, see Key exchange methods.
For more information about preshared key authentication, see Preshared key
authentication.
1/Authentication
To prevent a successful man-in-the-middle attack, the computers attempt to
authenticate the Diffie-Hellman key exchange. Without successful authentication,
communication will not proceed. The master key is used, in conjunction with the
164
negotiation algorithms and methods, to authenticate identities. The entire identity
payload is hashed and encrypted using the keys generated from the Diffie-
Hellman exchange in the second step. The payload includes the identity type (for
authentication), port, and protocol. IPSec uses the following identity types for
authentication: For certificate authentication, the certificate distinguished name
and general name; for Kerberos V5 and preshared key authentication, IPv4
addresses, the fully qualified domain name (FQDN) of the computer, and FQDN
of the user. The identity payload, regardless of which authentication method is
used, is protected from both modification and interpretation.
The sender presents an offer for a potential security association to the receiver.
The responder cannot modify the offer. Should the offer be modified, the initiator
rejects the responder's message. The responder sends either a reply accepting the
offer or a reply with alternatives.
Messages sent during this phase have an automatic retry cycle that is repeated
five times. If a response is received before the retry cycle ends, standard SA
negotiation begins. If allowed by IPSec policy, unsecured communications will
begin after a brief interval. If unsecured communications begin, after five
minutes of idle time (during which no messages are sent), secured
communication negotiation is attempted the next time messages are sent. If
messages are sent continuously, the communication remains unsecured during the
lifetime set for the main mode policy. After the policy time has elapsed, a new
secured communication negotiation attempt is made.
There is no preset limit to the number of exchanges that can take place. The
number of SAs established is only limited by system resources. When estimating
the number of SAs that can be established without significantly degrading
computer performance, consider the CPU processing strength and RAM of the
computer, the lifetime of the SA, and how much traffic is being sent over the
SAs.
The following are the steps that comprise a quick mode negotiation.
The IPSec computers exchange the following requirements for securing the data
transfer:
165
*The IPSec protocol (AH or ESP)
A common agreement is reached, and two SAs are established. One SA is for
inbound communication and the other is for outbound communication.
1/The SAs and keys, along with the SPI, are passed to the IPSec driver.
The second negotiation of security settings and keying material (for the purpose of
securing data) is protected by the main mode SA. As the first phase provided
identity protection, the second phase provides protection by refreshing the keying
material prior to sending data. IKE can accommodate a key exchange payload for
an additional Diffie-Hellman exchange if a rekey is necessary--that is, master key
perfect forward secrecy (PFS) is enabled. Otherwise, IKE refreshes the keying
material from the Diffie-Hellman exchange completed in main mode.
Quick mode results in a pair of security associations, each with its own SPI and key.
One SA is used for inbound communication, and the other for outbound
communication.
Notes
*Although there are two separate quick mode SAs established, IP Security Monitor
only displays a single quick mode SA.
*Computers running Windows 2000 must have the High Encryption Pack or
Service Pack 2 (or later) installed in order to use the 3DES algorithm. If a computer
running Windows 2000 receives a 3DES setting, but does not have the High
Encryption Pack or Service Pack 2 (or later) installed, the 3DES setting in the
security method is set to the weaker DES, to provide some level of confidentiality
for communication, rather than blocking all communication. However, you should
only use DES as a fallback option if not all computers in your environment support
the use of 3DES. Computers running Windows XP or a Windows Server 2003
operating system support 3DES and do not require installation of the High
Encryption Pack.
166
The retry algorithm for a message is similar to the process described in main
mode negotiation. However, if this process times out for any reason during the
second or higher negotiation off of the same main mode SA, a renegotiation of
the main mode SA is attempted. If a message for this phase is received without an
established main mode SA, it is rejected.
Using a single main mode SA for multiple quick mode SA negotiations increases
the speed of the process. As long as the main mode SA does not expire,
renegotiation and reauthentication are not necessary. The number of quick mode
SA negotiations that can be performed is determined by IPSec policy settings.
Note
*Excessive rekeying off of the same main mode SA might make the shared,
secret key vulnerable to a known plaintext attack. A known plaintext attack is a
sniffer attack in which the attacker attempts to determine the encryption key from
encrypted data based on known plaintext.
SA lifetimes
When the default time-out period elapses for the main mode SA, or the master or
session key lifetime is reached, a delete message is sent to the responder. The
IKE delete message tells the responder to expire the main mode SA. This
prevents additional new quick mode SAs from being created from the expired
main mode SA. IKE does not expire the quick mode SA, because only the IPSec
driver contains the number of seconds or bytes that have passed to reach the key
lifetime.
Use caution when setting very different key lifetimes for master and session keys.
For example, setting a master key lifetime of eight hours and a session key
lifetime of two hours might leave a quick mode SA in place for almost two hours
after the main mode SA has expired. This occurs when the quick mode SA is
generated shortly before main mode SA expiration.
It is generally recommended that all of the IKE settings (for example, master key
PFS and key lifetime) and security methods remain at their defaults to avoid
unnecessary administrative overhead. This provides a standard (medium) level of
security. If your security plan calls for a high level of security, you should consider
modifying the default security methods.
167
ESP, Encapsulating Security Payload
Description:
ESP will function with both the IPv4 and IPv6 protocols.
ESP supports two modes of operation, tunnel mode and transport mode.
RFC 4303:
The ESP header is designed to provide a mix of security services in IPv4 and
IPv6. ESP may be applied alone, in combination with AH, or in a nested fashion.
165
ESP header:
00
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30 31
Security Parameters Index
Sequence number
:::Payload data
:::Padding Pad length Next header
:::Authentication data
179
IPv6
Introduction to IPv6
Due to recent concerns over the impending depletion of the current pool of Internet
addresses and the desire to provide additional functionality for modern devices, an
upgrade of the current version of the Internet Protocol (IP), called IPv6, has been
standardized. This new version, called IP version 6 (IPv6), resolves unanticipated IPv4
design issues and takes the Internet into the 21st Century.
This paper describes the problems of the IPv4 Internet and how they are addressed by
IPv6, IPv6 addressing, the new IPv6 header and its extensions, the IPv6 replacements
for the Internet Control Message Protocol (ICMP) and Internet Group Management
Protocol (IGMP), neighboring node interaction, IPv6 address autoconfiguration, and
IPv6 routing. This paper provides a foundation of Internet standards-based IPv6
concepts and is intended for network engineers and support professionals who are
already familiar with basic networking concepts and TCP/IP.
TCP/IP v4 and v6
Windows Server 2008 and Windows Vista TCP/IP was completely redesigned to
support both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) to
meet the connectivity and performance needs of today's varied networking
environments and technologies.
These protocols provide IP addresses, the "phone numbers" for the Internet that are
responsible for identifying computers and devices so that they can communicate.
IPv6 is designed to solve many of the problems of IPv4, including mobility, auto-
configuration, and overall extensibility. IPv6 expands the address space on the Internet
and supports a nearly unlimited number of devices that can be directly connected to the
Internet.
Business Resources
IPv6 Support in Microsoft Products and Services
Case Study: How Microsoft IT has Deployed IPv6 on the Microsoft Corpnet
Development and Deployment of IPv6: Good for Internet, Technology
Enabling the Next Generation of Networking with End-to-End IPv6
Bechtel Well Positioned to Serve Customers by Using Microsoft and Cisco IPv6
Solution
171
Technical Resources for IPv4
TCP/IP Registry Values for Microsoft Windows Vista and Windows Server 2008
Windows Server 2008 TCP/IP Protocols and Services
TCP Receive Window Auto-Tuning
Receive-Side Scaling Enhancements in Windows Server 2008
Explicit Congestion Notification (ECN) for TCP/IP
Link-Local Multicast Name Resolution
Strong and Weak Host Models
172
تطْر مضرية احلاصبات اآللٔة يف الضْداٌ (: )1984-1967
نمذ ذى ادخال أل حاعٕب ف ٙانغٕداٌ ٔستًا افشٚمٛاا ٔانشاشق االٔعاط ػااو ٔ 1967ذاى تاّ ذاعاٛظ
يشكااض انحاعااة االناا ٙتعايؼااح انخش اإو تاااشب ذااذسٚة انطاالب ٔانثحااس انؼهًاأ ٙاالعاارخذاو االداس٘ شااى
اػمة رناك االداسج انًشكضٚاح انرا ٙادخهاد انحاعإب فا ٙاداسج حغااتاخ انضتاائٍ فا ٙػااو ٔ 1965فا ٙانؼااو
انران ٙادخهد يصهحح االحصااء انحاعإب نلعارخذاياخ االحصاائٛح ٔلام انٕياغ ػها ٙياا ْإ ػهٛاّ حراٙ
انغثؼُٛاخ حٛس ادخهد اداسج انغكح انحذٚاذ ٔيصاُغ انُغاٛط انغإدأَ ٙانٛاتااَ ٙانحاعإب فا ٙاداسذٓاا ٔفاٙ
ػاو 1977ادخم انحاعٕب ان ٙشاؼثح االلرصااد انمٛاعا ٙتعايؼاح انخش إو تاُفظ اراشاب يشكاض انحاعاة
االن ٙايا خلل االػٕاو 1959ٔ 1979ٔ 1975لاذ حاذز ذطإس ػعٛاة فا ٙاعارخذاياخ انحٕاعاٛة حٛاس
ادخهد اكصاش ياٍ خًغاح ػشاش يؤعغاح انحاعإب فا ٙاداسذٓاا تغاثة دخإل حٕاعاٛة صااٛشج ػانٛاح انماذسج
ٔعٓهح االعرخذاو ٔيذػٕيح تثشايط ذطثٛمٛح يُاعثح ٔتاعؼاس يؼمٕنح ٔيعذٚح َٕػا ياا ٔلاذ اعارًش ْازا انُإع
يٍ انحٕاعٛة ف ٙاالَرشاس حر ٙيُرصف انصًاَُٛاخ حر ٙذعأص ػذدْا .1
التركٌب
التطبٌقات
االلً
االسددتامال
الحاسدددددددب
سدددددددداعات
حجدددددددددددددددم
سدددددددددددددددددنة
عدددددددددددددددددد
ندفً الٌوم
نددددددددددددددددو
دددددددددددددددو
التركٌب
أ) أي س ال
6 تجارى 48ك ب 1974 الخرطوم 1951 مصنع النسٌج السودانً
الغً تجارى 48ك ب 1975 الخرطوم 1951 مصنع النسٌج الٌابانً
تجددددددددددددددددددارى 6 48ك ب 1976 1951 عطبرة السكة حدٌد
جاماة الخرطوم
6 وعلمً 48ك ب 1977 1951 شابة االقتصاد القٌاسً
الخرطوم
علمدددددددددددددددددددددً 8 امب 1984 ام اي 19 مصلحة االحصاء
الخرطوم
- وتجارى 555ك ب 1984 ام اي 19 الخطددددددددددددوط الجوٌددددددددددددة
علمً السودانٌة
1
* يعهح انذساعاخ انغٕداَٛح -انؼذد االٔل – انًعهذ انغاتغ أرغطظ 1959و
173
علمدددددددددددددددددددددً
وتجارى
* اي بي ام
16 االدارة المركزٌددددددددددددة للكهربدددددددددددداء 15/165استبدلت ب ان سً ار 64 1968 4515ك تجارى
الخرطوم
علمً 64ك 1969 15/165ق 15اسددتبدلت
الخدددرط مصلحة االحصاء
ب اي س ال م اي
519 وم
الخدددرط 15/|165
6 تجارى 64 1975 استبدلت ب وم شل
سٌستم 14
8 تجاري 118ك 1981 الخدددرط سٌستم 14 بنك ابو ظبً
وم
* وانق (مؤسسة الوقيع)
8 تجارى 11ك ب 1978 فً بً 1155 الخرطوم شركة بٌطار
8 تجارى 64ك ب 1979 " " " الخرطوم البنك الاالمً السودانً
8 تجارى 64ك ب 1979 ام فً بً1155 الخرطوم بنك النٌلٌن
8 تجارى 64ك ب 1979 " " " الخرطوم بنك الخرطوم
8 تجارى 64ك ب 1985 فً بً 1155 الخرطوم شركة الروبً
8 علمً وتجاري 64ك ب 1981 ام فً بً1155 الخرطوم القوات المسلحة
174
8 تجاري 64ك 1985 ×1آي 9515 عطبرة ماسبٌو
8 تجاري 118ك 1985 آي 9515 امدرمان بنك االعتماد
8 تجارًٌ 64ك 1985 × 11آي الخرطوم بنك الوحدة
9515
8 تجاري 64ك 1985 اي 9515 بورتسودا بنك االعتماد
8 تجاري 64ك ×15آي 1985 9515 الخرطوم بنك النٌلٌن
8 تجاري 118ك 1985 اي 9515 الخرطوم بنك الشرق االوسط
6 تجاري 64 1981 9515×4 الخرطوم خدمات الجزٌرة
8 تجاري 64ك 1981 9515×1 الخرطوم بنك الشاب التااونً
8 تجاري 118ك 1981 اي 9515 الخرطوم بنك النٌل االزرق
8 تجاري 156ك 1981 اي 9545 الخرطوم شركة االلبان
8 تجاري 156ك 1981 9515 اي الخرطوم البنك االسالمً السودانً
8 تجاري 64ك 1981 ×14اي9515 الخرطوم بنك الخرطوم
= تجاري 156ك 1984 اي 9515 الخرطوم بنك التضامن االسالمً
و) النننننننننننن م ال ي نننننننننننة
(بليسي)
8 تجاري 118ك 1981 بلٌسً 11 الخرطوم
البنك االهلً
،، ،، ،، 1981 ،، ،، ام درمان البنك االهلً
،، ،، ،، 1981 ،، ،، بورتسودان البنك االهلً
،، ،، 1984 ،، ،، قسددددددم ال ٌزٌدددددداء جاماددددددة الخرطوم
الخرطوم
8 تجاري وعملً ،، 1984 ،، ،، الخرطوم الجٌش
تتجاري ،، 1984 ،، ،، الخرطوم االمدادات الطبٌة
علمً ،، 1984 ،، ،، الخرطوم المجلس القومً للبحوث
1
175
احلاصبات الدقٔقة يف الضْداٌ
176
رسم رقم ()1
29
15
19
5
عُح انرشكٛة
17
16
91
انحذ انًؼٛاسٖ ( 17عاػح)
12
19
5
6 *
4 * *
2
177
عدد ّىْع احلاصبات اليت صْقت للنؤصضات الضْداىٔة
ج
175
اخلامتة -:
179
سلى انصفحح انًٕيٕع
أ ّــــٚاأل
ب اإلْذاء
ض ٌانشكـــش ٔانؼشفا
6 يمذيح
7 ف انحاعٕبٚذؼش
7 ح نهحاعٕبٛانًكَٕاخ االعاع
5 ٔحذاخ انحاعٕب
19 (Computer Network ):ف شثكاخ انحاعٕبٚذؼش
11 .(Windows 2000 Network ):2999 ُذٔصٚٔ شثكاخ
11 (Network Type ): إَاع انشثكاخ
15 Router
17 Switch
18 ROUTER ٔ SWITCH ٍٛانفشق ت
OSI
19 OSI Model Overview
19 Role of Application Layers
21 Role of Data Flow Layers
23 Encapsulating Data
24 De-encapsulating Data
24 Physical Layer Functions
25 Hubs Operate at Physical layer
26 TCP/IP Protocol Stack
26 Application Layer Overview
27 TCP Segment Format
33 UDP Segment Format
33 Internet Layer Overview
34 Address Resolution Protocol
35 Reverse ARP
36 Introduction to TCP/IP Addresses
37 IP Addressing
35 IP Address Classes
39 IP Address Classes Exercise
49 Addressing without Subnets
42 Decimal Equivalents of Bit Patterns
44 Broadcast Addresses
46 Class B Subnet
47 Class C Subnet
45 VLAN to VLAN Overview
159
سلى انصفحح انًٕيٕع
59 Introducing IP Addresses
52 Subnet Addressing
55 Cisco IOS User Interface Fundamentals
56 Checking Switch LED Indicators
57 Logging into the Switch and Entering the Enable Password
69 BootUp Output from the Router
61 Setup Interface Parameters
63 Logging into the Router
65 Using Enhanced Editing Commands
67 Setup saves the configuration to NVRAM
69 Router Password Configuration
79 Configuring a Serial Interface
72 Discovering Neighbors with CDP
74 Using Telnet to Connect to Remote Devices
76 ROM Functions
77 Finding the IOS
79 Loading the IOS from Flash
52 copy run tftp and copy tftp run Commands
53 Managing IOS Images
55 Switch
57 Broadcast Storms
99 Spanning-Tree Protocoll
93 Bridging Compared to LAN Switching
95 VLAN
96 ISL Tagging
95 VTP Modes
199 Routing
191 Static Routes
192 What is a Routing Protocol?
194 Classes of Routing Protocols
195 Distance Vector
199 Poison Reverse
112 Link-State Routing Protocols
113 Verifying the Routing Protocol—RIP
115 IGRP
116 Configuring IGRP
115 Updating Routing Information Example
129 Link-State and Balanced Hybrid Routing
122 OSPF
123 Configuring Single Area OSPF
125 Enabling EIGRP
125 Why Use Access Lists
151
سلى انصفحح انًٕيٕع
137 Control vty Access With Access Class
149 Using Named IP Access Lists
142 NAT and PAT
146 Sample Problem: Cannot Ping Remote Host
145 WAN
159 HDLC Frame Format
155 Frame Relay Inverse ARP and LMI Operation
157 Configuring Basic Frame Relay
162 IPsec (Internet Protocol Security)
163 Internet Key Exchange
171 IPv6
173 ٌ انغٕداٙح فٛنٜشج انحاعثاخ اٛذطٕس يغ
176 ٌ انغٕداٙمح فٛانحاعثاخ انذل
175 حَٛ عٕلد نهًؤعغاخ انغٕداٙػذد َٕٔع انحاعثاخ انر
179 انخاذًح
159 انفٓشط
152